CVE-2025-68110 is a critical security vulnerability affecting ChurchCRM, an open-source church management system widely used for managing congregation data and church operations. The vulnerability exists in versions prior to 6.5.3 and involves the exposure of sensitive database connection information through error messages generated by the application. Specifically, when an error occurs, the system may disclose the database host, IP address, username, and password in the error output. This information disclosure is classified under CWE-200 (Exposure of Sensitive Information) and CWE-209 (Information Exposure Through an Error Message). The vulnerability has a CVSS 3.1 base score of 10.0, reflecting its critical severity. The vector metrics indicate that the attack can be performed remotely over the network (AV:N) with low attack complexity (AC:L), requiring only low privileges (PR:L) and no user interaction (UI:N). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H), as exposure of database credentials can lead to unauthorized access, data manipulation, and service disruption. Although no exploits are currently known in the wild, the nature of the vulnerability makes it highly attractive for attackers. The fix was introduced in ChurchCRM version 6.5.3, which removes sensitive information from error messages. Organizations running affected versions should prioritize upgrading to mitigate the risk.

For European organizations using ChurchCRM, this vulnerability poses a significant risk of unauthorized access to sensitive church and congregational data. Exposure of database credentials can lead to full compromise of the CRM system, allowing attackers to steal personal data, modify records, or disrupt church operations. This can result in reputational damage, legal liabilities under GDPR due to personal data breaches, and operational downtime. Since ChurchCRM is used by many religious organizations across Europe, especially in countries with large Christian populations, the impact could be widespread. Attackers exploiting this vulnerability could also use the exposed credentials to pivot to other internal systems if network segmentation is weak. The critical severity and ease of exploitation mean that even low-privileged insiders or external attackers with network access could leverage this flaw. The absence of known exploits in the wild currently provides a window for proactive mitigation.

1. Immediately upgrade all ChurchCRM installations to version 6.5.3 or later, where the vulnerability is fixed. 2. Restrict access to the CRM system and its error messages by implementing network-level controls such as firewalls and VPNs to limit exposure to trusted users only. 3. Configure the application and web server to suppress detailed error messages in production environments to prevent leakage of sensitive information. 4. Rotate database credentials used by ChurchCRM after patching to invalidate any potentially exposed secrets. 5. Implement monitoring and alerting for unusual access patterns or failed login attempts to detect potential exploitation attempts early. 6. Conduct regular security audits and penetration testing focused on error handling and information disclosure. 7. Educate administrators and users about the importance of timely patching and secure configuration. 8. Consider network segmentation to isolate the CRM database from other critical infrastructure to limit lateral movement if credentials are compromised.