Attackers are actively exploiting a critical vulnerability in MongoDB to steal sensitive information directly from an affected server’s memory.
The attacks appear to have started on Dec. 29, barely three days after proof-of-concept exploit code (PoC) for the vulnerability became publicly available.
The security flaw, designated CVE-2025-14847 and dubbed “MongoBleed,” allows remote attackers to extract cleartext credentials, authentication tokens, and sensitive customer data from server memory without any authentication. Rapid7, which tested the PoC, found it to be fully functional and reliable, thus posing a severe threat to organizations running self-managed MongoDB instances.
The MongoBleed Security Threat
In a report this week, the security vendor urged affected organizations to remediate the vulnerability immediately rather than wait for its normal patch cycles. “Given the nature of the leak, simply patching is insufficient; organizations are advised to also rotate all database and application credentials that may have been exposed prior to remediation,” according to Rapid7.
MongoDB Inc. first disclosed the security issue on Dec. 19. Within a week, on Dec. 26, the functional exploit code was published online; and just three days later, the US Cybersecurity and Infrastructure Security Agency (CISA) confirmed active exploitation in the wild. MongoDB has assigned the vulnerability a CVSS severity rating of 8.7 out of 10, but Rapid7 warned of its consequences as being critical for impacted organizations.
Specifically, MongoBleed exploits a memory leak in MongoDB servers configured to use the Zlib compression algorithm for network messages — a common configuration in many production environments, according to Rapid7. An attacker can exploit the flaw using specially crafted network packets that use Zlib compression to trick the MongoDB server into leaking memory contents, hence the name MongoBleed.
What makes this vulnerability particularly dangerous is that it requires no authentication. Any remote attacker can access the flaw over the network without needing valid credentials or special permissions. The leaked memory can contain high-value secrets, including passwords, API keys, and data from other concurrent database sessions.
The one mitigating factor is that CVE-2025-14847 allows attackers to steal only uninitialized heap memory, or portions of the server’s RAM that have not been properly cleared of previous information. As a result, attacks targeting specific data in server memory are not possible via MongoBleed. “[Attackers] must instead rely on repeated exploitation attempts and chance to capture sensitive information,” Rapid7 said.
New Exploitation Tool for Stealing MongoDB Data
Rapid7 Labs said it has identified a new exploitation tool that significantly lowers the technical barrier for attacking vulnerable MongoDB servers. The tool features a graphical user interface that allows even less sophisticated threat actors to either automatically extract 10MB of memory in a single batch from an affected server or to monitor the data extraction process through a live visual feed, eliminating the need for complex command-line operations or coding expertise.
CVE-2025-14847 affects a broad range of MongoDB versions, including the 4.4, 5.0, 6.0, 7.0, and 8.0 branches. MongoDB wants affected organizations to upgrade to versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30.
“If you cannot upgrade immediately, disable zlib compression on the MongoDB Server by starting mongod or mongos with a networkMessageCompressors or a net.compression.compressors option that explicitly omits Zlib,” MongoDB said in its advisory. “Example safe values include snappy,zstd or disabled.”
The emergence of MongoBleed attacks shows that patch management continues to be key for enterprise defense, and highlights the increasingly compressed window between vulnerability disclosure and active exploitation. A 2025 analysis by Vectra.ai — along with similar research from numerous other vendors — shows that the average time to exploit newly disclosed vulnerabilities has gone from an average of 63 days in 2018–2019 to just five days by 2024. Vectra.ai also found that more than 28% of all vulnerabilities are now exploited within 24 hours of disclosure. And, the growing use of AI in exploit development could shrink these times even further, putting more pressure on security teams to respond quickly.
