CVE Alert: CVE-2025-11529 – n/a – ChurchCRM
CVE-2025-11529
A security flaw has been discovered in ChurchCRM up to 5.18.0. This impacts the function AuthMiddleware of the file src/ChurchCRM/Slim/Middleware/AuthMiddleware.php of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed remotely. The exploit has been released to the public and may be exploited. The patch is identified as 3a1cffd2aea63d884025949cfbcfd274d06216a4. A patch should be applied to remediate this issue.
AI Summary Analysis
Risk verdict
High risk with publicly disclosed exploit; remediation should be rushed to reduce exposure.
Why this matters
Unauthenticated access to the API endpoint enables attackers to bypass authentication remotely, potentially exposing or altering sensitive member data and administration records. The public availability of the exploit raises the likelihood of opportunistic abuse, increasing risk of data loss, integrity compromise, or service disruption across affected deployments.
Most likely attack path
Remote attacker can target the API Endpoint without credentials, relying on network access (no user interaction). With PR:N, UI:N, AC:L, and AV:N, the bar for exploitation is low; successful access could allow enumeration or manipulation of resources within the affected ChurchCRM instance, subject to existing access controls.
Who is most exposed
Commonly deployed in self-hosted ChurchCRM environments on standard web stacks (Apache/Nginx, PHP) exposed to the internet or inadequately segmented networks; smaller organisations with delayed patching are particularly at risk.
Detection ideas
- Look for anomalous requests to /api or AuthMiddleware paths that succeed without Authorization headers.
- Unusual success responses on protected resources (HTTP 200) lacking authenticated context.
- Logs showing bypassed authentication events or repeated access to sensitive endpoints.
- Patch fingerprint: presence or absence of commit 3a1cffd2…
- Sudden spikes in failed/blocked authentication attempts followed by successful API access.
Mitigation and prioritisation
- Apply the official patch to implement authentication checks (upgrade to 5.18.0+ or apply patch 3a1cffd2…).
- If patching is delayed, tighten network controls: restrict API exposure, require VPN, or implement a robust WAF with strict auth enforcement.
- Verify patch in staging, then roll out to all affected versions across environments; perform post-implementation testing of API auth behaviour.
- Rotate credentials and review API keys if exposed; enable auditing on sensitive endpoints.
- Treat as priority 1 if KEV/EPSS indicators confirm active exploitation; otherwise proceed with urgent but staged remediation.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
