Faith-Based Daily Awareness Post 15 December 2025

These updates are shared to help raise the situational awareness of Faith-Based organizations to best defend against and mitigate the impacts from all-hazards threats including physical security, cybersecurity, and natural disasters.

ChurchCRM

CVE-2025-68112 is a critical SQL injection vulnerability in the ChurchCRM open-source church management system’s EditEventAttendees.php functionality, allowing an authenticated user to execute arbitrary SQL commands that can lead to full database compromise, credential theft, and system takeover; this issue is resolved by upgrading to ChurchCRM6.5.3 or later.  

CVE-2025-68401 is a medium-severity stored cross-site scripting (XSS) flaw also in ChurchCRM where insufficient sanitization of user-supplied HTML/JavaScript enables attackers to inject scripts that execute in other users’ browsers, potentially enabling session theft and account takeover, and is fixed in ChurchCRM 6.0.0 or later. 

Finally, CVE-2025-67874 (per the NVD) is an information disclosure vulnerability in ChurchCRMversions prior to 6.5.0 that causes the application to echo plaintext passwords back in HTTP responses, increasing the risk of credential theft and aiding other exploits; this issue is addressed by upgrading to version 6.5.0 or newer.

Analyst Comments: ChurchCRM is an open-source church management system widely used by faith-based organizations to manage sensitive operational data, including member records, attendance, donations, credentials, and internal communications. Because platforms like ChurchCRM often sit at the center of day-to-day operations and store personally identifiable and financial information, unpatched vulnerabilities can have outsized consequences, ranging from data breaches and account compromise to broader system takeover. Timely patching is especially critical for small and mid-sized nonprofits that may lack dedicated security staff, as known vulnerabilities are routinely scanned for and exploited by opportunistic attackers once public CVEs are released.

Collectively, these vulnerabilities highlight a recurring risk pattern for nonprofit and religious organizations that rely on self-hosted, open-source applications: security flaws often require authenticated access, meaning exploitation may stem from compromised low-privilege accounts, insider misuse, or credential reuse rather than purely external attacks. Organizations using ChurchCRM should not only apply the latest updates but also review access controls, enforce strong password and MFA policies where possible, and monitor logs for unusual administrative or database activity, as exploitation could directly impact trust, donor confidence, and continuity of community services.

Outgoing GAO chief warns of ‘taking our foot off the gas’ at CISA

Retiring Government Accountability Office (GAO) Comptroller General Gene Dodaro warned lawmakers that federal cybersecurity and critical infrastructure protection aren’t receiving sufficient urgency, leaving the United States exposed to evolving cyber threats, and emphasized the need for stronger leadership and momentum at the Cybersecurity and Infrastructure Security Agency (CISA). Dodaro testified before the Senate Homeland Security and Governmental Affairs Committee that CISA has lost about a third of its workforce amid budget and staffing challenges, that hundreds of GAO’s cybersecurity recommendations remain unimplemented, and that confirming a permanent CISA director is essential to restoring focus and effectiveness. He also highlighted concern about the agency’s capacity to support election security ahead of the midterms while managing broader infrastructure threats — remarks that drew bipartisan attention to the risks of losing traction on critical cyber priorities as adversary activity continues to grow.

Analyst Comments: At the same time, it is worth noting that without an effective and adequately resourced CISA, the broader ISAC and information-sharing framework becomes significantly more precarious. CISA plays a central convening and coordination role, helping normalize threat reporting, deconflict incidents, and translate federal intelligence into actionable guidance for sector partners. Persistent workforce losses, leadership gaps, or reduced authority at CISA risk weakening trust, slowing information flow, and creating uneven coverage across sectors, particularly for smaller and under-resourced organizations that rely heavily on CISA and ISACs as their primary source of timely threat intelligence and coordination.

TLP:CLEAR – Guard Your Good Cheer from Holiday Scams

This post was originally shared with GRIP subscribers on 16 December 2025 and is being shared here for broader seasonal threat awareness. As FB-ISAO executive director role Jennifer Lyn Walker wrote, “As the holiday shopping season is underway, we’d like to take this opportunity to share a reminder about being extra vigilant of those ‘too good to be true’ and other scams and spam attempting to hustle and bustle our better judgement. Shopping scams come in multiple forms. From suspicious sites, phishing emails, or malicious ads offering items at “inconceivable” discounts, to fake delivery notifications threatening you’ll miss that important holiday delivery. One of the top holiday shopping threats comes from scammers impersonating big name brands.”

• Like the Grinch who stole Christmas, cybercriminals long for this time of year, to steal money and information from those of good cheer.
• Holidays are a great time of year to remind less security-minded and threat aware family and friends – from our children to our elderly neighbors and everyone in between – about the scams and why miscreants target them all year long.
• According to Malwarebytes, holiday scams are a daily occurrence hitting 27% of people on social media and 15% on marketplaces each day.
• Mastercard reports that nearly half of consumers admit they are likely to ignore security warnings if the item is deeply discounted.
• To guard your good cheer from grinches, verify before you buy, shop from secure devices, keep an eye on your bank/credit card accounts, and remind older loved ones to be vigilant all year long.