30. Dezember 2025
Das verbreitete Datenbank-System MongoDB weist diverse kritische Sicherheitslücken auf, die derzeit aktiv ausgenutzt werden.
Handeln ist dringend erforderlich!
Tracked as CVE-2025-14847, the flaw impacts the Zlib compression protocol and allows attackers to read uninitialized heap memory without authentication.
Patches for the bug were released on December 19, when MongoDB warned that successful exploitation could lead to memory leaks.
Dubbed MongoBleed, the issue can be abused via crafted compressed messages that, when parsed, cause the server to return the amount of allocated memory, and not the length of the decompressed data.
On Christmas Eve, Ox Security published a technical analysis of the security defect, explaining how it could be exploited to extract sensitive information from MongoDB servers.
Two days later, Elastic Security’s Joe Desimone released a PoC exploit for it, which can be used to extract session tokens, passwords, API keys, and other sensitive data.
Ox Security says the MongoDB vulnerability can be exploited to leak entire databases by sending multiple malformed requests.
According to Wiz, because the flawed network message decompression logic is processed before authentication, attackers can leak fragments of sensitive in-memory data without valid credentials or user interaction.
“Because the vulnerability is reachable prior to authentication and does not require user interaction, Internet-exposed MongoDB servers are particularly at risk,” Wiz notes.
MongoBleed exploited in the wild
Warning that the exploitation of MongoBleed started shortly after the PoC exploit was released, Wiz notes that roughly 42% of cloud environments have MongoDB instances that are vulnerable.
Censys observed more than 87,000 vulnerable MongoDB servers globally. According to security researcher Kevin Beaumont, there are over 200,000 instances.
“Because of how simple this is now to exploit — the bar is removed — expect high likelihood of mass exploitation and related security incidents,” Beaumont notes.
The vulnerability was patched in MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30. Organizations should update self-managed instances as soon as possible or disable Zlib compression on the server to prevent exploitation.
Before updating, however, administrators should hunt for signs of compromise by checking the MongoDB server logs, Recon InfoSec co-founder Eric Capuano notes.lgemeine Verfügbarkeit soll bis Mitte Januar abgeschlossen sein.
Quelle: SecurityWeek
