CVEPublished 2025-12-171 article on news6 live referencesNVD data

CVE-2025-68109

Vulnerability data via CVEDB (Shodan)

CVSS v3.1
9.1
CRITICAL
EPSS percentile
69
Exploit Prediction Scoring System · top 31% of all CVEs
Description

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue.

Timeline
Published 2025-12-17

External references

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

More intel sources (5)

Known PoCs on GitHub

No public proof-of-concept repositories found for CVE-2025-68109 on GitHub.