Contact
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Cybersecurity is about sharing. Recognize the risk,
combat it, share your experiences, and encourage others
to do better than you.
Select language
HackTheBox 320x100 1
Crowdstriker 970×120
MongoBleed Vulnerability Exploited: Update MongoDB Now to Prevent Data Breach

MongoBleed Vulnerability Exploited: Update MongoDB Now to Prevent Data Breach

30 December 2025 10:03

The Cybersecurity and Infrastructure Security Agency (CISA) has officially raised the alarm about a critical vulnerability in MongoDB, adding the flaw to its catalog of known exploited vulnerabilities (KEVs).

This move confirms that the bug, dubbed ” MongoBleed ,” is being actively exploited by hackers to steal sensitive data from servers around the world. The flaw is serious. It stems from “improper handling of length parameter inconsistencies” in the database’s use of the zlib compression library.

Security researchers at Ox Security have clarified how the vulnerability works, which stems from MongoDB’s tendency to return the amount of memory allocated when processing network messages, rather than the actual size of the decompressed data.

The vulnerability, identified as CVE-2025-14847, has a severity score of 8.7 and affects a wide range of MongoDB Server versions, from legacy installations to the latest releases.

CISA’s action follows reports of widespread abuse. The agency warned that ” this type of vulnerability is a common attack vector for malicious actors and poses a significant risk to federal operations.”

The list of affected versions is extensive and covers release years:

  • MongoDB from version 8.2.0 to 8.2.3
  • MongoDB from version 8.0.0 to 8.0.16
  • MongoDB from version 7.0.0 to 7.0.26
  • MongoDB from version 6.0.0 to 6.0.26
  • MongoDB from version 5.0.0 to 5.0.31
  • MongoDB from version 4.4.0 to 4.4.29
  • All versions 4.2, 4.0 and 3.6.

According to Censys , a platform dedicated to discovering internet-connected resources, as of December 27, there were more than 87,000 potentially vulnerable MongoDB instances exposed to the public internet.

This structural inconsistency allows an attacker to transmit a “malformed message declaring an exaggerated unpacked size,” thus tricking the server into reserving an expandable memory buffer. The server then inadvertently returns the contents of this uninitialized memory to the adversary.

By exploiting this flaw, attackers are able to remotely harvest secrets, credentials, and other sensitive data from an exposed MongoDB instance, achieving a complete extraction without the need for authentication.

MongoDB fixed the vulnerability 10 days ago and urges all administrators to immediately upgrade to a “safe build.” The fixed builds are:

  • 8.2.3
  • 8.0.17
  • 7.0.28
  • 6.0.27
  • 5.0.32
  • 4.4.30.

Fortunately, customers using MongoDB Atlas, the company’s fully managed multi-cloud service, received the patch automatically and do not need to take any action.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

  • #cybersecurity
  • #exploit
  • #hacking
  • cisa
  • data breach
  • data protection
  • MongoBleed
  • mongodb
  • patch
  • secure
  • server security
  • update
  • Vulnerability
Cropped RHC 3d Transp2 1766828557 300x300
The editorial staff of Red Hot Cyber is composed of IT and cybersecurity professionals, supported by a network of qualified sources who also operate confidentially. The team works daily to analyze, verify, and publish news, insights, and reports on cybersecurity, technology, and digital threats, with a particular focus on the accuracy of information and the protection of sources. The information published is derived from direct research, field experience, and exclusive contributions from national and international operational contexts.