MongoBleed Vulnerability in MongoDB Exploited Against Ubisoft's Rainbow Six Siege
A critical vulnerability in MongoDB, identified as CVE-2025-14847 and dubbed 'MongoBleed,' has been publicly disclosed, with a proof-of-concept (PoC) exploit released. The flaw resides in MongoDB's use of the zlib compression library, allowing unauthenticated attackers to send specially crafted messages that cause the server to leak fragments of its internal memory. This memory leak can expose sensitive data such as clear-text passwords, login keys, personal information, and security tokens, all without requiring authentication.
The impact of this vulnerability became immediately apparent when Ubisoft was forced to shut down its popular game, Rainbow Six Siege, after attackers exploited MongoBleed to compromise player accounts and internal systems. Thousands of gamers were locked out as a result, highlighting the real-world risks posed by the flaw. Security researchers have confirmed that multiple hacker groups are actively leveraging the PoC to target organizations using vulnerable MongoDB instances, emphasizing the urgent need for patching and mitigation.
Timeline
Dec 29, 2025
Ubisoft takes Rainbow Six Siege and marketplace offline
In response to the exploitation, Ubisoft shut down Rainbow Six Siege and its marketplace to contain the breach and began working to roll back fraudulent transactions. The outage was part of the company's incident response to the MongoBleed-related compromise.
Dec 29, 2025
Attackers exploit MongoBleed against Rainbow Six Siege systems
Multiple hacker groups exploited MongoBleed to gain unauthorized access affecting Ubisoft's Rainbow Six Siege environment. The incident led to mass account bans and unbans, fraudulent distribution of in-game currency, and unlocking of cosmetic items for players.
Dec 26, 2025
Working MongoBleed exploit PoC released
A working proof-of-concept exploit for MongoBleed was released publicly, lowering the barrier to exploitation. Reporting said the PoC enabled unauthenticated attacks against vulnerable MongoDB deployments and was followed by a surge in attacks.
Dec 19, 2025
MongoBleed vulnerability publicly disclosed
The MongoDB vulnerability dubbed MongoBleed, tracked as CVE-2025-14847, was publicly disclosed. The flaw was described as allowing unauthenticated attackers to access or drain memory from affected MongoDB instances via zlib-related behavior, creating denial-of-service and data-exposure risk.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
MongoBleed Vulnerability in MongoDB and Its Exploitation Impact
A critical vulnerability, CVE-2025-14847, known as MongoBleed, has been discovered in MongoDB, allowing unauthenticated remote attackers to read uninitialized heap memory from affected servers when zlib compression is enabled. This flaw exposes sensitive in-memory data such as credentials, session tokens, and application secrets, and is present across a wide range of MongoDB versions. The vulnerability is actively being exploited, with CISA adding it to the Known Exploited Vulnerabilities (KEV) catalog and warning that over 80,000 servers are at risk. The attack requires no authentication or user interaction, making it a high-severity issue for organizations using MongoDB in cloud, SaaS, and enterprise environments. The MongoBleed vulnerability has reportedly been linked to a major breach in Ubisoft's Rainbow Six Siege, where attackers exploited the flaw to manipulate in-game assets, resulting in the unauthorized distribution of billions of in-game credits and random moderation actions. Ubisoft responded by shutting down game servers and rolling back transactions, though the company has not officially confirmed MongoBleed as the root cause. The incident highlights the real-world impact of MongoDB vulnerabilities on high-profile applications and underscores the urgent need for organizations to apply mitigations and monitor for exploitation attempts.
1 months ago
Critical MongoDB and Redis Flaws Expose Data and Enable Remote Code Execution
Security advisories warned of two severe database software vulnerabilities with immediate internet-facing risk. In MongoDB, an unauthenticated network attacker can trigger an information disclosure flaw—described in some reporting as **MongoBleed**—to make a vulnerable server return sensitive data such as credentials, secrets, and personal information. The issue affects MongoDB releases dating back to about 2017 and stems from insufficient validation in the `zlib` implementation, which can leak uninitialized heap memory allocated to MongoDB. Working exploitation methods are known, and defenders were told to watch for large volumes of malformed or compressed requests, decompression or memory-handling errors, and repeated unauthenticated connections. Patches are available in versions `8.2.3`, `8.0.17`, `7.0.28`, `6.0.27`, `5.0.32`, and `4.4.30`, while end-of-life branches remain unpatched. A separate advisory disclosed a **critical Redis vulnerability** affecting `8.2.1` and earlier when Lua scripting is enabled, which is the default configuration. The flaw is a use-after-free condition that can be triggered by a specially crafted Lua script and may allow **remote arbitrary code execution**, giving an attacker full control of the host running Redis. Officials urged immediate upgrades because the vulnerability is publicly known and exploitation could begin within hours, and they advised organizations to inspect any previously exposed Redis environments for signs of compromise. Fixed versions were listed as `6.2.20`, `7.2.11`, `7.4.6`, `8.0.4`, and `8.2.2`, alongside renewed guidance that Redis instances should not be exposed directly to the public internet.
1 weeks ago
Mongobleed: Critical Unauthenticated Memory Disclosure Vulnerability in MongoDB via zlib Compression
A critical unauthenticated vulnerability (CVE-2025-14847) has been discovered in MongoDB Server, specifically related to the handling of zlib-compressed network traffic. This flaw allows remote attackers with network access to a MongoDB instance configured with compression enabled to trigger the server into returning uninitialized heap memory in its responses. The leaked memory may contain sensitive data, including fragments of previously processed information, internal state, or confidential values, and no authentication is required to exploit this issue. The vulnerability affects a wide range of MongoDB versions, including 3.6.x through 8.2.x, with patches available in versions 4.4.30, 5.0.32, 6.0.27, 7.0.28, 8.0.17, and 8.2.3. The root cause lies in the way MongoDB processes malformed zlib-compressed frames, leading to a length mismatch during decompression and the inadvertent inclusion of uninitialized memory in server responses. Given MongoDB's prevalence in cloud environments and its frequent exposure to the internet, this vulnerability poses a significant risk to organizations relying on the database for sensitive data storage and application backends.
3 months ago