US, Australia say ‘MongoBleed’ bug being exploited
Monday, December 29, 2025
What
A critical vulnerability, dubbed "MongoBleed" (CVE-2025-14847), is being actively exploited globally, impacting various versions of MongoDB's database management system. This flaw allows attackers to establish numerous rapid connections to MongoDB servers, probing for memory leaks to aggregate and reconstruct sensitive information, effectively bypassing authentication controls under specific conditions. Cybersecurity experts warn that this exposure could lead to the theft of database passwords, AWS secret keys, and other confidential data, primarily by opportunistic actors.
Where
The vulnerability affects MongoDB database management systems deployed across various environments, including cloud environments, small startups, software-as-a-service providers, large enterprises, and government organizations globally. Specifically, U.S. federal civilian agencies are mandated to patch, and Australia's Cyber Security Centre has issued warnings. Thousands of internet-exposed MongoDB deployments worldwide are potentially vulnerable, with estimates ranging from 74,854 to 87,000 instances.
When
MongoDB announced the vulnerability on December 15 and released a patch on December 19. Exploit code for CVE-2025-14847 was publicly published on December 25. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its catalog of exploited vulnerabilities on Monday evening (likely early January) and ordered federal civilian agencies to apply the patch by January 19. Active global exploitation was confirmed by U.S. and Australian cyber agencies around this time.
Key Factors
- •The MongoBleed vulnerability (CVE-2025-14847) operates by establishing tens of thousands of rapid connections per minute to a MongoDB server, probing for memory leaks to aggregate and reconstruct sensitive data, effectively bypassing authentication.
- •Cybersecurity firm Wiz reported that 42% of cloud environments have at least one instance of a vulnerable MongoDB version, with many internet-facing instances confirmed as exploitable.
- •The exploit allows for the theft of highly sensitive information, including database passwords and AWS secret keys, highlighting the severe risk of data compromise.
- •Rapid7's analysis indicates that the large-scale exposure of MongoDB deployments, combined with trivial access paths, makes them highly susceptible to opportunistic abuse from broad internet scanning rather than targeted nation-state campaigns.
Takeaways
- →Organizations using MongoDB should immediately identify and patch all instances of CVE-2025-14847 to prevent active exploitation and potential data theft.
- →This incident underscores the critical importance of robust access control mechanisms and minimizing internet exposure for database systems, as even without complex exploit chains, vulnerabilities can lead to significant risk.
- →Regularly monitor for newly disclosed vulnerabilities in critical software, especially those with public exploit code, and prioritize patching efforts based on confirmed active exploitation and potential impact.
Opens original article on The Record
