Tens of thousands of MongoDB servers remain exposed to active exploitation, days after the disclosure of a critical memory leak vulnerability known as MongoBleed (CVE-2025-14847).
Data from the Shadowserver Foundation reveals that over 87,000 MongoDB instances are currently accessible from the internet, with more than 74,000 of them still running unpatched versions.
The updated figures were released by Shadowserver on December 29, 2025, as part of its ongoing tracking of exposed MongoDB services. The group now tags vulnerable servers based on version data, allowing precise identification of those at risk. Out of 78,725 publicly accessible MongoDB instances observed that day, 74,854 were flagged as potentially vulnerable to CVE-2025-14847. The majority of those are in China, the United States, Germany, France, Hong Kong, Singapore, and India.
The MongoBleed vulnerability, first disclosed on December 24, 2025, impacts all supported and legacy MongoDB server versions from 3.6 through 8.2.2. It stems from incorrect length handling in the message_compressor_zlib.cpp file, part of the server's zlib-based network compression layer. By sending a specially crafted compressed message, a remote attacker can trigger a memory leak and retrieve uninitialized heap memory without authentication. This allows the exfiltration of sensitive in-memory data such as credentials, API keys, internal logs, and more.
MongoDB is a widely adopted NoSQL database, powering applications across sectors including gaming, finance, IoT, analytics, and web services. Its flexibility and scalability have led to millions of deployments globally, many of which are self-managed and exposed directly to the internet.
The severity of the vulnerability prompted quick action from MongoDB Inc., which issued security patches across all supported release branches:
- 8.2.3
- 8.0.17
- 7.0.28
- 6.0.27
- 5.0.32
- 4.4.30
Cloud-based deployments on MongoDB Atlas have been patched automatically. However, self-hosted environments, particularly those in smaller organizations or lacking active maintenance, are lagging behind, contributing to the high number of exposed systems.
Active exploitation of MongoBleed began almost immediately following the publication of a proof-of-concept tool on GitHub by researcher Joe Desimone on December 25. The tool requires only an IP address to extract memory from vulnerable servers. By December 28, attackers had leveraged the flaw to breach Ubisoft's Rainbow Six Siege infrastructure, disrupting online services and enabling lateral movement into backend systems.
The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-14847 to its Known Exploited Vulnerabilities (KEV) catalog yesterday. Federal agencies are now required to remediate it by January 19, 2026. CISA has strongly urged private organizations to treat the vulnerability with similar urgency due to its widespread exploitation and minimal attack requirements.
Leave a Reply