top of page
perceptive_background_267k.jpg

Exploited MongoBleed flaw leaks MongoDB secrets, 87K servers exposed

Published:

28 december 2025 om 20:38:15

Alert date:

28 december 2025 om 21:02:09

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Database & Storage, Zero-Day Vulnerabilities, Data Breach & Exfiltration

A severe vulnerability dubbed MongoBleed (CVE-2025-14847) affecting multiple MongoDB versions is being actively exploited in the wild. Over 87,000 MongoDB servers are exposed on the public internet, with more than 80,000 potentially vulnerable to this flaw. The vulnerability allows attackers to leak MongoDB secrets and sensitive information. Active exploitation has been confirmed, making this a critical security issue requiring immediate attention from organizations running MongoDB instances.

Technical details

MongoBleed (CVE-2025-14847) is a vulnerability in MongoDB's handling of network packets processed by the zlib library for data compression. The issue occurs because MongoDB returns the amount of allocated memory when processing network messages instead of the length of decompressed data. Attackers can send malformed messages claiming larger sizes when decompressed, causing the server to allocate larger memory buffers and leak in-memory data containing sensitive information. The vulnerability occurs before authentication, so no valid credentials are needed to exploit it.

Mitigation steps:

Upgrade MongoDB to safe releases (8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30). If upgrading is not possible, disable zlib compression on the server. Check for signs of compromise by looking for source IPs with hundreds or thousands of connections but zero metadata events. Use the MongoBleed Detector tool to parse MongoDB logs and identify potential exploitation. Consider using safe compression alternatives like Zstandard (zstd) or Snappy.

Affected products:

MongoDB 8.2.0 through 8.2.3
MongoDB 8.0.0 through 8.0.16
MongoDB 7.0.0 through 7.0.26
MongoDB 6.0.0 through 6.0.26
MongoDB 5.0.0 through 5.0.31
MongoDB 4.4.0 through 4.4.29
All MongoDB Server v4.2 versions
All MongoDB Server v4.0 versions
All MongoDB Server v3.6 versions

Related links:

https://www.ox.security/blog/attackers-could-exploit-zlib-to-exfiltrate-data-cve-2025-14847/#technical_analysis
https://x.com/dez_
https://doublepulsar.com/merry-christmas-day-have-a-mongodb-security-incident-9537f54289eb
https://censys.com/advisory/cve-2025-14847
https://www.wiz.io/blog/mongobleed-cve-2025-14847-exploited-in-the-wild-mongodb
https://blog.ecapuano.com/p/hunting-mongobleed-cve-2025-14847
https://github.com/Neo23x0/mongobleed-detector
https://www.mongodb.com/community/forums/t/important-mongodb-patch-available/332977
https://github.com/facebook/zstd
https://github.com/google/snappy
https://www.bleepingcomputer.com/news/security/massive-rainbow-six-siege-breach-gives-players-billions-of-credits/

Related CVE's:

Related threat actors:

IOC's:

Source IP with hundreds or thousands of connections but zero metadata events, Malformed network messages to MongoDB instances, Unusual connection patterns to MongoDB servers

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page