CVE-2025-68110 is a critical information disclosure vulnerability identified in the open-source ChurchCRM church management system. Versions prior to 6.5.3 improperly handle error messages, which can leak sensitive database connection details including the database host, IP address, username, and password. This vulnerability is classified under CWE-200 (Exposure of Sensitive Information) and CWE-209 (Information Exposure Through an Error Message). The flaw can be exploited remotely without user interaction by an attacker with low privileges, as indicated by the CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). The exposure of database credentials can lead to full compromise of the backend database, enabling attackers to read, modify, or delete sensitive data, and potentially pivot to other parts of the network. The vulnerability affects confidentiality, integrity, and availability of the system, making it critical. Although no exploits have been reported in the wild yet, the severity and ease of exploitation make it a high priority for patching. The fix was released in version 6.5.3, which properly sanitizes error messages to prevent leakage of sensitive information.

For European organizations using ChurchCRM, this vulnerability poses a significant risk to sensitive personal and organizational data managed within the CRM. Exposure of database credentials can lead to unauthorized access to member information, donation records, and other confidential data, potentially violating GDPR and other privacy regulations. The integrity of data can be compromised through unauthorized modifications, and availability may be impacted if attackers disrupt the database service. The reputational damage and regulatory penalties from such a breach could be severe. Since ChurchCRM is used by religious and community organizations, the impact extends beyond financial loss to trust erosion within communities. The vulnerability also increases the attack surface for lateral movement within networks, especially if the database credentials provide access to other internal systems.

The primary mitigation is to upgrade ChurchCRM installations to version 6.5.3 or later, which addresses the vulnerability by sanitizing error messages. Organizations should immediately audit their current version and apply the patch if needed. Additionally, restrict access to error messages by configuring web server and application settings to avoid detailed error disclosures to unauthorized users. Implement network segmentation to isolate the CRM and database servers from broader network access. Enforce strong database credential management, including changing exposed credentials post-incident and using least privilege principles. Monitor logs for unusual access patterns or repeated error message triggers that could indicate exploitation attempts. Consider deploying Web Application Firewalls (WAFs) to detect and block suspicious requests targeting error message disclosures. Finally, conduct regular security assessments and penetration testing to identify similar information disclosure issues.