Vulnerabilities

Threat Brief: MongoDB Vulnerability (CVE-2025-14847)

6 min read

Executive Summary

On Dec. 19, 2025, MongoDB publicly disclosed MongoBleed, a security vulnerability (CVE-2025-14847) that allows unauthenticated attackers to leak sensitive heap memory by exploiting a trust issue in how MongoDB Server handles zlib-compressed network messages. This flaw occurs prior to authentication, meaning an attacker only needs network access to the database's default port to trigger it.

Key details of the threat are summarized below:

Vulnerability: CVE-2025-14847 is a critical, unauthenticated memory disclosure vulnerability in MongoDB Server's handling of zlib-compressed messages (CVSS 8.7).
Impact: This memory can contain sensitive data such as cleartext credentials, API keys, session tokens and personally identifiable information (PII).
Status: Confirmed active exploitation in the wild. A public proof-of-concept (PoC) exploit is available. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog on Dec. 29, 2025, based on evidence of active exploitation.

Cortex Xpanse identified approximately 146,000 vulnerable instances of MongoDB exposed to the internet.

Palo Alto Networks customers are better protected from activity related to CVE-2025-14847 through the following products and services:

Cortex XDR and XSIAM can help protect against post-exploitation activities using the multi-layer protection approach
Cortex Cloud can help detect cloud-hosted resources vulnerable to CVE-2025-14847
Cortex Xpanse can help identify exposed MongoDB devices on the public internet and escalate these findings to defenders

The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk.

Vulnerabilities Discussed	CVE-2025-14847

Details of CVE-2025-14847

The MongoBleed vulnerability originates in the way MongoDB processes zlib-compressed wire-protocol messages, a feature that is enabled by default. Communication is handled via an OP_COMPRESSED header, which wraps the original message payload and includes a field specifying the expected size of the uncompressed data.

The execution of the attack mechanism occurs in the following manner:

An unauthenticated attacker sends a specially crafted, compressed message to a vulnerable MongoDB server.
The attacker manipulates the uncompressedSize field within the OP_COMPRESSED header, setting it to a value significantly larger than the actual compressed payload.
The server fails to validate this value and allocates an oversized memory buffer based on the attacker-specified size. This buffer is populated with uninitialized heap memory, remnants of previously processed data.
The leak is further amplified by MongoDB’s error-handling logic. When the attacker's malformed BSON object is sent without a null terminator, the server attempts to parse memory until it encounters a null terminator. When parsing ultimately fails, the server returns an error response that includes both the original malicious message and the contents of the leaked heap memory.

It’s important to note that MongoDB automatically applied the patch to managed MongoDB Atlas customers, meaning self-hosted MondoDB servers require manual patching.

This process allows an attacker to progressively leak large portions of the server's memory by sending repeated malformed requests.

Attack Vector and Impact

The attack vector is fully remote, unauthenticated, and requires no user interaction. An adversary only needs network access to the default MongoDB port (TCP/27017) to exploit the flaw.

The primary impact is a high-confidentiality data loss. Although MongoBleed is limited to being a read-only memory disclosure vulnerability and does not allow for remote code execution, the strategic significance of the information that can be leaked is vast. Attackers could leverage the leaked secrets to enable further system compromise, data exfiltration and lateral movement.

This vulnerability affects the following MongoDB versions:

Version 8.2: 8.2.0 – 8.2.2
Version 8.0: 8.0.0 – 8.0.16
Version 7.0: 7.0.0 – 7.0.27
Version 6.0: 6.0.0 – 6.0.26
Version 5.0: 5.0.0 – 5.0.31
Version 4.4: 4.4.0 – 4.4.29

End-of-life (no fix available):

All v4.2 versions
All v4.0 versions
All v3.6 versions

Current Scope of the Attack Using CVE-2025-14847

The threat posed by MongoBleed is not theoretical. A working public PoC exploit was published on GitHub on Dec. 26, 2025. Security researchers observed active exploitation in the wild shortly after the vulnerability's disclosure.

Official confirmation of active exploitation came on Dec. 29, 2025, when the U.S. CISA added CVE-2025-14847 to its KEV Catalog, mandating that federal agencies patch the flaw.

Cortex Xpanse identified approximately 146,000 vulnerable instances of MongoDB exposed to the internet, providing a tangible metric for the global attack surface.

Interim Guidance

If immediate patching is not feasible, the following temporary measures should be considered to help reduce risk:

1. Network Segmentation: Reduce exposure by blocking all inbound internet access to MongoDB instances on port TCP/27017. Connections should be restricted at the network level to explicitly trusted sources only.

2. Disable zlib Compression: As a temporary workaround, disable zlib compression support within the MongoDB configuration. This action prevents the vulnerable code path from being triggered. Safe alternatives include snappy, zstd or fully disabling compression.

Please refer to the issues tracker maintained by MongoDB for additional suggestions and updates.

Unit 42 Managed Threat Hunting Queries

The Unit 42 Managed Threat Hunting team continues to track any attempts to exploit this CVE across our Managed Services customers, using telemetry available within Cortex XDR. Cortex XDR customers who don’t leverage Unit 42 Managed Services can also use the following XQL query to search for signs of exploitation.

The following query attempts to identify a high number of network connections to MongoDB servers. Results of this query may not explicitly indicate exploitation but could be used to signal systems for further review.

// Description: High Velocity network connection to MongoDB server may indicate exploitation of MongoBleed (CVE-2025-14847)

// Notes: Review the source IP of the requests and the host IP addresses. Validate they are not the same. If the IPs are on the same subnet it may be due to routing or load-balancing configuration.

dataset = xdr_data

| filter event_type = ENUM.NETWORK

| filter lowercase(actor_process_image_name) in ("mongod", "mongod.exe")

| filter action_network_is_server = true

// Filter for non-RFC1918 IP addresses. To include all IPs (depending on routing configuration it is possible traffic may have the internal IP of a load balancer, proxy, router, or firewall) comment the following line.

| filter action_remote_ip not in (null, "")

| filter incidr(action_remote_ip, "10.0.0.0/8") != true and // RFC1918

incidr(action_remote_ip, "192.168.0.0/16") != true and // RFC1918

incidr(action_remote_ip, "172.16.0.0/12") != true and // RFC1918

incidr(action_remote_ip, "127.0.0.0/8") != true and // Loopback

incidr(action_remote_ip, "169.254.0.0/16") != true and // Link Local

incidr(action_remote_ip, "224.0.0.0/4") != true and // Multicast

incidr(action_remote_ip, "255.255.255.255/32") != true and // Broadcast

incidr(action_remote_ip, "198.18.0.0/15") != true // Reserved

| fields _time, agent_hostname, agent_id, actor_effective_username, agent_ip_addresses, agent_external_ip, actor_process_image_name, actor_process_image_path, action_local_ip, action_local_port, action_remote_ip, action_remote_port, action_remote_ip_enrichment, action_network_app_ids, action_network_connection_id, action_network_dpi_fields, action_network_packet_data, action_network_protocol, action_network_session_duration, action_upload, action_download

| filter action_network_session_duration <= 5000

| bin _time span = 1m

| comp count(_time) as Counter, values(agent_ip_addresses) as agent_ip_addresses, values(agent_external_ip) as agent_external_ip, values(action_local_port) as Local_ports, count_distinct(action_local_port) as Local_port_Count by agent_hostname, action_remote_ip, _time

// Identify source IPs with a high volume of connections per Minute. This number can be increased or decreased as needed. The higher the number the greater the chance of malicious activity, while the lower the number the broader the scope/ ability to identify activity.

| filter Counter >= 500

// Description: High Velocity network connection to MongoDB server may indicate exploitation of MongoBleed (CVE-2025-14847)

// Notes: Review the source IP of the requests and the host IP addresses. Validate they are not the same. If the IPs are on the same subnet it may be due to routing or load-balancing configuration.

dataset = xdr_data

| filter event_type = ENUM.NETWORK

| filter lowercase(actor_process_image_name) in ("mongod", "mongod.exe")

| filter action_network_is_server = true

// Filter for non-RFC1918 IP addresses. To include all IPs (depending on routing configuration it is possible traffic may have the internal IP of a load balancer, proxy, router, or firewall) comment the following line.

| filter action_remote_ip not in (null, "")

| filter incidr(action_remote_ip, "10.0.0.0/8") != true and // RFC1918

incidr(action_remote_ip, "192.168.0.0/16") != true and // RFC1918

incidr(action_remote_ip, "172.16.0.0/12") != true and // RFC1918

incidr(action_remote_ip, "127.0.0.0/8") != true and // Loopback

incidr(action_remote_ip, "169.254.0.0/16") != true and // Link Local

incidr(action_remote_ip, "224.0.0.0/4") != true and // Multicast

incidr(action_remote_ip, "255.255.255.255/32") != true and // Broadcast

incidr(action_remote_ip, "198.18.0.0/15") != true // Reserved

| fields _time, agent_hostname, agent_id, actor_effective_username, agent_ip_addresses, agent_external_ip, actor_process_image_name, actor_process_image_path, action_local_ip, action_local_port, action_remote_ip, action_remote_port, action_remote_ip_enrichment, action_network_app_ids, action_network_connection_id, action_network_dpi_fields, action_network_packet_data, action_network_protocol, action_network_session_duration, action_upload, action_download

| filter action_network_session_duration <= 5000

| bin _time span = 1m

| comp count(_time) as Counter, values(agent_ip_addresses) as agent_ip_addresses, values(agent_external_ip) as agent_external_ip, values(action_local_port) as Local_ports, count_distinct(action_local_port) as Local_port_Count by agent_hostname, action_remote_ip, _time

// Identify source IPs with a high volume of connections per Minute. This number can be increased or decreased as needed. The higher the number the greater the chance of malicious activity, while the lower the number the broader the scope/ ability to identify activity.

| filter Counter >= 500

Conclusion

While MongoBleed carries a Critical severity rating, successfully weaponizing it against a monitored enterprise is operationally difficult. Due to the return of unstructured, random fragments of data from an exploited server, capturing valuable data requires an attacker to barrage the server with thousands of requests.

This makes any worthwhile exploitation of MongoBleed a loud intrusion, creating a fingerprint that standard heuristics and rate-limiting controls should be well designed to detect and block long before significant data exfiltration typically occurs.

Palo Alto Networks customers are better protected by our products, as listed below.

Palo Alto Networks Product Protections for CVE-2025-14847

Palo Alto Networks customers can leverage a variety of product protections and services to help identify and defend against this threat.

If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
UK: +44.20.3743.3660
Europe and Middle East: +31.20.299.3130
Asia: +65.6983.8730
Japan: +81.50.1790.0200
Australia: +61.2.4062.7950
India: 000 800 050 45107
South Korea: +82.080.467.8774

Cortex XDR and XSIAM

Cortex XDR and XSIAM help protect against post-exploitation activities using the multi-layer protection approach.

Cortex Xpanse

Cortex Xpanse is designed to identify exposed MongoDB devices on the public internet and escalate these findings to defenders. Customers can enable alerting on this risk by ensuring that the MongoDB Server and Insecure MongoDB Server Attack Surface Rules are enabled.

Cortex Attack Surface Testing (AST) can also validate whether exposed MongoDB instances are vulnerable to exploitation by executing benign PoC checks.

Identified findings can either be viewed in the Threat Response Center or in the incident view of Expander. These findings are also available for Cortex XSIAM customers who have purchased the attack surface management (ASM) module.

Cortex Cloud

Cortex Cloud can help detect cloud-hosted resources vulnerable to CVE-2025-14847 through the proper placement of Cortex Cloud XDR endpoint agent and serverless agents within a cloud environment.

While MongoDB’s managed service offering was automatically patched by the MongoDB Security Engineering team, self-hosted cloud instances can still be vulnerable. Cortex Cloud is designed to provide discovery of self-hosted MongoDB instances across Amazon Web Services (AWS), Azure and Google Cloud (GCP). This allows organizations to gain visibility into cloud-hosted assets, a critical first step in mitigating threats like MongoBleed.

Furthermore, Cortex Cloud has detection rules specifically designed to identify and alert on any self-hosted MongoDB instances that are publicly accessible.

Lastly, if cloud identities were leaked from a compromised MongoDB instance, Cortex Cloud Identity Security can help detect common post-exploitation identity-based techniques used to gain and maintain persistence resulting in further exploitation of cloud platforms.