CVE-2025-68109 affects ChurchCRM, an open-source church management system, specifically versions before 6.5.3. The vulnerability arises from improper validation in the Database Restore feature, which allows authenticated users to upload arbitrary files without checking file content or extension. Attackers can exploit this by uploading a malicious web shell file followed by a .htaccess file to enable direct web access to the shell. Once accessed, the web shell grants remote code execution (RCE) capabilities on the server, allowing attackers to execute arbitrary OS commands. This vulnerability is categorized under multiple CWEs including CWE-78 (OS Command Injection), CWE-434 (Unrestricted Upload of File with Dangerous Type), CWE-494 (Download of Code Without Integrity Check), CWE-552 (Files or Directories Accessible to External Parties), and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes). The CVSS v3.1 score of 9.1 reflects a critical severity with network attack vector, low attack complexity, high privileges required, no user interaction, and complete impact on confidentiality, integrity, and availability. Although no exploits have been observed in the wild yet, the vulnerability poses a significant risk to affected installations. The fix was introduced in ChurchCRM version 6.5.3, which implements proper validation and restrictions on file uploads to prevent such abuse.

For European organizations using ChurchCRM, this vulnerability could lead to full system compromise of the CRM server. Attackers gaining RCE can exfiltrate sensitive personal and organizational data, modify or delete records, disrupt church operations, and potentially pivot to other internal systems. The impact extends to confidentiality breaches of member information, integrity loss of critical data, and availability disruption of church management services. Given the sensitive nature of data managed by ChurchCRM (personal details, donation records, event information), exploitation could result in reputational damage and legal consequences under GDPR. Organizations relying on ChurchCRM servers exposed to the internet or insufficiently segmented networks are particularly vulnerable. The requirement for high privileges limits exploitation to insiders or compromised accounts but does not eliminate risk, especially if credential theft or phishing occurs. The lack of known exploits in the wild suggests a window for proactive patching and mitigation before widespread attacks emerge.

European organizations should immediately upgrade ChurchCRM installations to version 6.5.3 or later to apply the official patch. Until upgraded, restrict access to the Database Restore functionality to the minimum number of trusted administrators and enforce strong authentication mechanisms such as multi-factor authentication. Implement strict file upload validation at the web server and application layers, including whitelisting allowed file types and scanning uploads for malicious content. Disable or tightly control the use of .htaccess files to prevent enabling unauthorized script execution. Monitor web server logs and file directories for unusual uploads or access patterns indicative of web shell deployment. Employ network segmentation to isolate ChurchCRM servers from critical infrastructure and limit outbound connections to reduce attacker lateral movement. Regularly audit user privileges and revoke unnecessary administrative rights. Consider deploying web application firewalls (WAFs) with custom rules to detect and block suspicious file upload attempts and command injection payloads. Finally, maintain up-to-date backups and test restore procedures to recover quickly from potential compromises.