MongoBleed (CVE-2025-14847): the US, China, and the EU are among the top exploited GEOs

MongoBleed (CVE-2025-14847) lets attackers remotely leak memory from unpatched MongoDB servers using zlib compression, without authentication.

A critical vulnerability, CVE-2025-14847 (MongoBleed), was disclosed right after Christmas, an unwelcome “gift” for the cybersecurity community, impacting MongoDB Server deployments that use zlib network compression.

MongoDB is a popular open-source NoSQL database used to store and manage data in a flexible, document-based format.

Instead of tables and rows like traditional SQL databases, MongoDB stores data as JSON-like documents (called BSON). This makes it well-suited for modern applications that need scalability, high performance, and flexible data models.

Any internet-facing MongoDB instance, whether cloud-hosted or on-premises, including production, staging, or test environments, with zlib compression enabled is potentially vulnerable.

In practice, this impacts all MongoDB versions from 3.6 onward if they have not been patched. The vulnerability can be exploited remotely and without authentication, meaning an attacker only needs network access to the MongoDB service port. As a result, both internet-exposed databases and internally accessible instances reachable through lateral movement are at risk of leaking sensitive process memory.

Based on the available telemetry, the highest number of exposed vulnerable MongoDB instances were observed in the following countries:

• China: 16,576 exposed instances
• United States: 14,486 exposed instances
• Germany: 11,547 exposed instances
• Hong Kong: 5,521 exposed instances
• Singapore: 4,130 exposed instances

According to Resecurity, additional exposures were observed in India, Russia, France, Vietnam, and Indonesia, suggesting the issue is globally distributed rather than regionally isolated.

“The concentration of vulnerable MongoDB instances on large cloud and hosting providers highlights the risk of misconfiguration at scale. Attackers can rapidly enumerate and target these environments using internet-wide scanning platforms, enabling automated exploitation, data exposure, and service compromise across multiple tenants.” reads the report published by Resecurity. “The infrastructure and cloud providers hosting the highest number of affected systems.”

Resecurity researchers published a detailed analysis of the PoC methodology and the leaked output, along with recommendations to prevent it.

U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-14847 to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. The Australian Signals Directorate similarly warned that it is aware of active global exploitation of this vulnerability. All federal civilian executive branch agencies should remediate CVE-2025-14847 by Jan. 19, according to CISA.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)