A critical remote code execution vulnerability exists in the setup process of the ChurchCRM management system. This flaw allows an unauthenticated attacker to inject malicious code during the initial installation, leading to a complete compromise of the underlying server. Because this vulnerability can be exploited before any security configurations or user accounts are established, it represents a severe and immediate risk to any new deployment of the affected software.

This is a pre-authentication remote code execution (RCE) vulnerability that occurs during the initial setup wizard. The flaw resides in the setup/routes/setup.php file, which fails to validate or sanitize user-provided input from the setup form. An unauthenticated attacker can submit a specially crafted request to the setup page, injecting arbitrary PHP code into any of the configuration parameters. This malicious input is then written directly into the Include/Config.php file, which is executed on every subsequent page load, granting the attacker persistent code execution on the server with the privileges of the web service.

This vulnerability is rated as critical severity with a CVSS score of 10, representing the highest possible risk. Successful exploitation grants an attacker complete control over the web server, allowing for the theft of sensitive data (such as congregation member information), deployment of ransomware, defacement of the website, or use of the compromised server to launch further attacks against the internal network. The pre-authentication nature of the flaw means that any internet-exposed ChurchCRM instance undergoing installation is a target, posing a significant risk to data confidentiality, integrity, and availability.

Immediate Action: Immediately upgrade all instances of ChurchCRM to version 5.21.0 or later, which contains the patch for this vulnerability. For systems that have recently been installed, immediately inspect the Include/Config.php file for any suspicious or unexpected code and assume the system is compromised if any is found.

Proactive Monitoring: Monitor web server access logs for unusual POST requests to the /setup/ directory or setup/routes/setup.php, especially from untrusted IP addresses. Implement file integrity monitoring on critical application files like Include/Config.php to detect unauthorized modifications. Monitor for any unexpected outbound network connections or processes originating from the web server process.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Immediately after a successful installation, delete or remove access to the entire /setup directory.
• Use a Web Application Firewall (WAF) with rules to inspect and block requests containing PHP syntax or command injection payloads targeting the setup form.
• Restrict access to the setup page at the web server or network level to only trusted administrator IP addresses.

Public Exploit Available: false

Given the critical CVSS score of 10 and the ease of exploitation, this vulnerability requires immediate attention. We strongly recommend that all organizations using ChurchCRM apply the patch by upgrading to version 5.21.0 or later without delay. Although this CVE is not currently listed on the CISA KEV catalog, its severity makes it a prime candidate for future inclusion. Any organization that has recently installed an affected version should treat their server as potentially compromised and initiate incident response procedures.