The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to secure their systems against a high-severity MongoDB flaw that is actively being exploited in attacks.

Dubbed MongoBleed and tracked as CVE-2025-14847, this vulnerability was patched on December 19, 2025, and it stems from how MongoDB Server processes network packets using the zlib library for data compression.

Successful exploitation allows unauthenticated threat actors to remotely steal credentials and other sensitive data, including API and/or cloud keys, session tokens, internal logs, and personally identifiable information (PII), through low-complexity attacks that don't require user interaction.

Elastic security researcher Joe Desimone has also released a proof-of-concept (PoC) exploit that leaks sensitive memory data when targeting unpatched hosts.

On Monday, Internet security watchdog Shadowserver found over 74,000 Internet-exposed, potentially vulnerable MongoDB instances. Censys is also tracking over 87,000 IP addresses that have been fingerprinted as running possibly unpatched MongoDB versions.

According to telemetry data from the cloud security platform Wiz, which also tagged the vulnerability as exploited in the wild over the weekend, the impact across the cloud environment appears significant, as 42% of visible systems "have at least one instance of MongoDB in a version vulnerable to CVE-2025-14847."

​CISA has now confirmed Wiz's report and has added the MongoBleed security flaw to its list of vulnerabilities exploited in attacks, ordering Federal Civilian Executive Branch (FCEB) agencies to patch their systems within three weeks, by January 19, 2026.

FCEB agencies are non-military U.S. executive branch agencies, including the Department of Homeland Security, the Department of the Treasury, the Department of Energy, and the Department of Health and Human Services.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned. "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."

Network defenders who can't immediately apply security patches to secure their systems are advised to disable zlib compression on the server.

A MongoBleed Detector that parses MongoDB logs and identifies potential CVE-2025-14847 exploitation is also available for admins who want to identify vulnerable servers on their networks.

MongoDB is an extremely popular non-relational database management system (DBMS) used by over 62,500 organizations worldwide, including dozens of Fortune 500 companies.