CVE-2025-68110
📋 TL;DR
ChurchCRM versions before 6.5.3 expose sensitive database credentials in error messages, allowing attackers to obtain database host, IP, username, and password. This affects all ChurchCRM installations running vulnerable versions. Attackers can use this information to gain unauthorized database access.
💻 Affected Systems
- ChurchCRM
📦 What is this software?
Churchcrm by Churchcrm
⚠️ Risk & Real-World Impact
Worst Case
Full database compromise leading to data theft, data manipulation, and potential complete system takeover via database privileges.
Likely Case
Database credential theft enabling unauthorized access to church member data, financial records, and sensitive personal information.
If Mitigated
Limited impact with proper network segmentation and database access controls, but credentials still exposed.
🎯 Exploit Status
Exploitation requires triggering error conditions that reveal credentials, which may be straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.5.3
Vendor Advisory: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-82mq-xc2j-3qv2
Restart Required: Yes
Instructions:
1. Backup your ChurchCRM database and files. 2. Download ChurchCRM version 6.5.3 or later from the official repository. 3. Follow the upgrade instructions in the ChurchCRM documentation. 4. Restart the web server service.
🔧 Temporary Workarounds
Disable Detailed Error Messages
allConfigure the application to show generic error messages instead of detailed ones containing database information.
Edit ChurchCRM configuration to set error reporting to minimal or production mode
Network Segmentation
linuxRestrict database access to only the ChurchCRM application server using firewall rules.
iptables -A INPUT -s [CHURCHCRM_IP] -p tcp --dport [DB_PORT] -j ACCEPT
iptables -A INPUT -p tcp --dport [DB_PORT] -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit database connectivity to only trusted sources.
- Rotate all database credentials immediately and monitor for unauthorized access attempts.
🔍 How to Verify
Check if Vulnerable:
Check the ChurchCRM version in the admin interface or by examining the application files. Versions below 6.5.3 are vulnerable.Check Version:
Check the ChurchCRM admin dashboard or examine the version.php file in the installation directory.Verify Fix Applied:
After upgrading to 6.5.3 or later, verify that error messages no longer contain database credentials by testing error conditions.📡 Detection & Monitoring
Log Indicators:
- Error logs containing database connection strings, hostnames, usernames, or passwords
- Unusual database connection attempts from unexpected IP addresses
Network Indicators:
- Outbound connections from web servers to database servers on non-standard ports
- Database authentication failures from new sources
SIEM Query:
source="churchcrm.logs" AND ("database" OR "password" OR "host") AND "error"