Date of update: 30.12. Reports by The Shadowserver Foundation indicate that 74,854 MongoDB databases remain exposed to the “MongoBleed” vulnerability CVE-2025-14847. It is remarkable that close to 50% of the databases remain in China (16,800) and the USA (13,300).
Original Article, December 29:
A tool on code repositories like GitHub could aid in identifying the cases of mongoBleed (CVE-2025-14847) that exist within an organization's network. A key vulnerability within MongoDB databases, the mongoBleed exploit, survives many network restrictions because it operates at the application layer
This is because the bug enables malicious individuals to fetch protected data from the memory of the server without even needing to authenticate. Sensitive details such as login credentials, tokens, and individuals’ information are prized possessions when it comes to cyber attackers. Several organizations and security firm Wiz have issued warnings concerning the active exploitation of the bug.
The vulnerability is found in the zlib decompression function in MongoDB versions 4.4 to 8.2.2. According to Wiz Research, a staggering 42 percent of cloud instances have at least one vulnerable version of MongoDB, whether publicly exposed or internal systems. Censys discovered about 87,000 vulnerable instances worldwide.
How the detector works
The MongoBleed Detector is a script based, Offline, and CLI tool used for analyzing MongoDB JSON log files. It does not need a network connection and does not require additional agents to work on the task at hand.
The detection mechanism involves correlating communication events emitted by MongoDB, namely accepted connection messages (22943), metadata messages (51800), and closed connection messages (22944). "A legitimate MongoDB driver always emits the metadata following the accepted connection." In contrast, the MongoBleed attack establishes a connection, accesses memory, and then ends the connection without emitting any messages containing metadata.
The tool picks up the patterns of malicious activity based on the connection volumes from the same IP address, the missing client metadata, and the connection bursts above 100,000 connections per minute. It supports the compressed log file, supports both IPv4 and IPv6 addresses, and allows four levels of risk categories: MEDIUM,HIGH, LOW, and INFO.
Moreover, the tool comes equipped with a Python SSH remote executor. This enables the scanning of multiple MongoDB instances. The detector also includes the forensic folder mode that assists in examining the evidence gathered from various hosts.
Affected versions and patches
The vulnerability affects MongoDB versions,
- 8.2.0 to 8.2.2
- 8.0.0 to 8.0.16
- 7.0.0 to 7.0.27
- 6.0.0 to 6.0.26
- 5.0.0 to 5.0.31
Organizations hosting vulnerable versions of MongoDB need to apply the updates and use the detector to scan for any sign of malicious usage. The current exploits were expected by the Netherlands’ NCSC, as it expected this particular vulnerability to be exploited shortly. Those that cannot apply the updates now can turn off compression offered either by networkMessageCompressors or net.compression.compressors, and this can be replaced with either snappy, zstd, or disabling it.
MongoDB has patch updates for the impacted versions: 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30. MongoDB Atlas instances have already been upgraded, and customers do not require any actions. An exploit has been known to be in the wild since December 26, 2025, after a functional exploit was made known.
