US, Australia say ‘MongoBleed’ bug being exploited

U.S. and Australian cyber agencies confirmed that hackers are exploiting a vulnerability that emerged over the Christmas holiday and is impacting data storage systems from the company MongoDB.

The issue drew concern on December 25 when a prominent researcher published exploit code for CVE-2025-14847 — a vulnerability MongoDB announced on December 15 and patched on December 19.  

The Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its catalog of exploited vulnerabilities on Monday evening and ordered all federal civilian agencies to patch it by January 19. A CISA spokesperson declined to answer further questions about what U.S. agencies are doing to protect those who may be impacted. 

Australia’s Cyber Security Centre said in an advisory that it “is aware of active global exploitation of this vulnerability.”

The vulnerability impacts a range of versions of MongoDB’s database management system. 

The bug was dubbed “MongoBleed” in reference to several previous vulnerabilities, including the CitrixBleed bug. 

Cybersecurity researcher Eric Capuano said the exploit “works by establishing many rapid connections to the MongoDB server — we’re talking tens of thousands per minute.” 

“Each connection probes for memory leaks, and the attacker aggregates the leaked data to reconstruct sensitive information,” he added. 

Douglas McKee, director of vulnerability intelligence at the cybersecurity firm Rapid7, told Recorded Future News the vulnerability affects thousands of internet-exposed MongoDB deployments by enabling access paths that bypass authentication controls under specific conditions.

Cybersecurity experts at several organizations warned about the level of exposure related to the bug. The cyber company Wiz found that 42% of cloud environments have at least one instance of a version of MongoDB vulnerable to CVE-2025-14847 and experts at the company have confirmed “many internet-facing instances as exploitable.”

Censys reported observing about 87,000 potentially vulnerable instances worldwide and the Shadowserver Foundation put the figure at 74,854. 

Rapid7’s McKee said similar large-scale exposure, combined with trivial access paths, has historically led to rapid, opportunistic abuse. 

“The issue highlights how exposure and access control failures can create material risk, even in the absence of a traditional exploit chain,” he said. 

“Based on historical patterns with similar MongoDB exposure issues, the most likely abuse would come from opportunistic actors conducting broad internet scanning rather than targeted or nation-state campaigns.”

He added that MongoDB is used across the spectrum, from small startups and software-as-a-service providers to large enterprises and government environments.

Cybersecurity expert Kevin Beaumont validated the exploit code over the weekend and said it allowed anyone to steal database passwords, AWS secret keys and more.