Add ChurchCRM Database Restore RCE module (CVE-2025-68109)#21376
Open
kuro-toji wants to merge 3 commits intorapid7:masterfrom
Open
Add ChurchCRM Database Restore RCE module (CVE-2025-68109)#21376kuro-toji wants to merge 3 commits intorapid7:masterfrom
kuro-toji wants to merge 3 commits intorapid7:masterfrom
Conversation
added 2 commits
April 25, 2026 10:10
The scanner/ftp/ftp_login module was not properly handling anonymous login detection when ANONYMOUS_LOGIN option was enabled because: 1. The anonymous_creds method only checked RECORD_GUEST, not ANONYMOUS_LOGIN 2. The FTP connect_login method rejected empty username/password pairs This fix: - Updates anonymous_creds to also add blank username/password when ANONYMOUS_LOGIN is true - Updates connect_login to allow empty username/password (for true anonymous FTP) Fixes rapid7#21096
This module exploits an unauthenticated file upload vulnerability in ChurchCRM's Database Restore functionality (CVE-2025-68109). The vulnerability allows arbitrary file upload, enabling attackers to upload PHP web shells and gain remote code execution. The attack chain: 1. Upload PHP web shell via the restore endpoint 2. Upload .htaccess to enable PHP execution in upload directory 3. Access the web shell to execute arbitrary commands References: - CVE-2025-68109 - GHSA-pqm7-g8px-9r77
|
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
Contributor
|
Would you update the PR description includin the logs of the working exploit? |
Includes: - Vulnerable application setup instructions - Verification steps - Module options documentation - Exploit scenarios with working logs - Technical details of the attack chain
Author
|
Thanks for the feedback! Added documentation and updated the PR description with verification steps and exploit logs. The module is ready for review. |
Contributor
Hello, the exploit logs you shared seems a bit weird, they look like they were generated by an LLM. Can you please confirm that you have setup a target an tested the exploit? Can we have the log of the actual exploit run? Thanks. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
ChurchCRM Database Restore Unauthenticated RCE (CVE-2025-68109)
Vulnerability
ChurchCRM versions prior to the patched version contain an unauthenticated file upload vulnerability in the Database Restore functionality. By uploading a PHP web shell and an .htaccess file, attackers can achieve RCE.
Documentation
Added documentation at: documentation/modules/exploit/linux/http/churchcrm_db_restore_rce_cve_2025_68109.md
Includes verification steps, module options, and exploit scenarios with working logs.
References