As MongoBleed exploitation escalates, 95% of systems remain unpatched

Published: 30 December 2025
mongobleed vulnerability

Hackers are actively exploiting the MongoBleed vulnerability, dumping server memory and scouring for passwords, tokens, credentials, and other sensitive data, cyber authorities warn. Estimates suggest that 95% of exposed MongoDB systems remain unpatched.

Cybersecurity authorities around the globe, including those from the US, Australia, and Germany, are sounding the alarm, urging administrators to update their MongoDB instances immediately.

The nasty exploit, dubbed MongoBleed, enables attackers to exfiltrate memory dumps from exposed systems simply by having an IP address.

ADVERTISEMENT

MongoDB is a widely used database management software. Wiz data reveals that 42% of cloud environments have at least one instance of MongoDB vulnerable to MongoBleed, including both publicly exposed and internal resources.

The ShadowServer Foundation, a non-profit organization that scans the web for vulnerabilities, announced that it detected 74,854 possibly unpatched versions out of 78,725 exposed systems as of December 29th. This means that 95% of MongoDB instances are vulnerable despite a patch being available since December 23rd.

The majority of affected MongoDB systems are located in China (16,800), the United States (13,300), Germany (7,200), and France (5,100), followed by other countries.

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert and added MongoBleed to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

The binding directive requires federal agencies to apply mitigations or discontinue the use of vulnerable products by January 19th, 2026.

Germany’s Federal Office for Information Security (BSI) urges administrators to update MongoDB instances immediately to the fixed versions (v8.2.3, v8.0.17, v7.0.28, v6.0.27, v5.0.32, v4.4.30). The BSI also advises checking for unnecessary public exposure of database instances, restricting network access to trusted sources, and actively monitoring logs for indicators of compromise.

The reported malicious activity is characterized by high connection volume from a single source IP address, missing client metadata, which is usual for legitimate clients, and short-term peak activity of over 100,000 connections per minute.

ADVERTISEMENT
jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

A high number of connections is required to extract the data from the system RAM in small batches.

The Australian Cyber Security Centre also issued an alert for business and government agencies in the country, urging them to review their networks and environments for the use of vulnerable MongoDB versions and investigate any unauthorized access or compromise of affected products.

“Wiz has been able to validate many internet-facing instances as exploitable,” the cloud security company said in its report.

Cloud customers received a patch automatically

MongoDB released a blog post on their response and key insights.

The tech company details that the issue, tracked as CVE-2025-14847 and known as MongoBleed, was first detected on December 12th, 2025.

The company developed a fix and first patched the Atlas fleet, its cloud-based commercial database service, on December 17th-18th. MongoDB later disclosed a highly severe vulnerability affecting all database versions on December 19th.

Has my data been leaked?
Check Now

The patch for the community edition was issued on December 23rd. The proof of concept exploits followed.

ADVERTISEMENT

“Protecting customers was our top priority throughout this process. Tens of thousands of MongoDB Atlas customers and hundreds of thousands of Atlas instances were proactively patched within days,” the company said.

“Because MongoDB manages Atlas, we were able to deploy critical security patches quickly and safely on behalf of customers.”

The company also stated that the patched bug in the MongoDB Server products (Community and Enterprise) does not constitute a breach or compromise of MongoDB, MongoDB Atlas, or its systems.

MongoBleed is a client-side exploit of the server’s zlib implementation that can return uninitialized heap memory without authenticating to the server, according to MongoDB’s advisory.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT