CISA orders feds to patch MongoBleed flaw exploited in attacks

Published:

30 december 2025 om 14:40:13

Alert date:

30 december 2025 om 15:02:11

Source:

bleepingcomputer.com

Database & Storage, Zero-Day Vulnerabilities, Critical Infrastructure

CISA has ordered U.S. federal agencies to patch the MongoBleed vulnerability in MongoDB that is being actively exploited in attacks. The vulnerability allows attackers to steal credentials, API keys, and other sensitive data. Federal agencies must patch this security flaw due to active exploitation in the wild. This represents a critical security issue affecting MongoDB installations across government systems.

Technical details

MongoBleed (CVE-2025-14847) is a high-severity MongoDB vulnerability that stems from how MongoDB Server processes network packets using the zlib library for data compression. Successful exploitation allows unauthenticated threat actors to remotely steal credentials and sensitive data through low-complexity attacks that don't require user interaction. Over 74,000 Internet-exposed, potentially vulnerable MongoDB instances were found by Shadowserver, with Censys tracking over 87,000 IP addresses running possibly unpatched MongoDB versions. According to Wiz telemetry, 42% of visible cloud systems have at least one MongoDB instance vulnerable to this flaw.

Mitigation steps:

Apply security patches immediately (Federal agencies must patch by January 19, 2026)
If immediate patching is not possible, disable zlib compression on the server
Use the MongoBleed Detector tool to parse MongoDB logs and identify potential exploitation attempts
Follow applicable BOD 22-01 guidance for cloud services
Discontinue use of the product if mitigations are unavailable

Affected products:

MongoDB Server (all versions vulnerable to CVE-2025-14847)
zlib library (used for data compression in MongoDB)

Related CVE's:

CVE-2025-14847

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.