MongoBleed Vulnerability in MongoDB and Its Exploitation Impact
A critical vulnerability, CVE-2025-14847, known as MongoBleed, has been discovered in MongoDB, allowing unauthenticated remote attackers to read uninitialized heap memory from affected servers when zlib compression is enabled. This flaw exposes sensitive in-memory data such as credentials, session tokens, and application secrets, and is present across a wide range of MongoDB versions. The vulnerability is actively being exploited, with CISA adding it to the Known Exploited Vulnerabilities (KEV) catalog and warning that over 80,000 servers are at risk. The attack requires no authentication or user interaction, making it a high-severity issue for organizations using MongoDB in cloud, SaaS, and enterprise environments.
The MongoBleed vulnerability has reportedly been linked to a major breach in Ubisoft's Rainbow Six Siege, where attackers exploited the flaw to manipulate in-game assets, resulting in the unauthorized distribution of billions of in-game credits and random moderation actions. Ubisoft responded by shutting down game servers and rolling back transactions, though the company has not officially confirmed MongoBleed as the root cause. The incident highlights the real-world impact of MongoDB vulnerabilities on high-profile applications and underscores the urgent need for organizations to apply mitigations and monitor for exploitation attempts.
Timeline
Dec 31, 2025
Nuclei template updated and validated for MongoBleed detection
On 2025-12-31, ProjectDiscovery updated its Nuclei template for CVE-2025-14847 to make detection deterministic and reduce false negatives. The maintainers said the template was validated against both vulnerable and patched hosts and noted exploitation had been observed in the wild.
Dec 31, 2025
Metasploit adds a MongoBleed scanner module
On 2025-12-31, a Metasploit pull request introduced a scanner module for CVE-2025-14847 that can test for the flaw and extract leaked memory fragments for analysis. The release made exploitation and validation easier for security teams and potentially for attackers.
Dec 30, 2025
Akamai publishes technical detection and mitigation guidance
On 2025-12-30, Akamai released technical analysis and actionable detection guidance for MongoBleed, including queries and recommendations to identify vulnerable assets. The company emphasized immediate remediation because public exploits were available and active exploitation was ongoing.
Dec 30, 2025
CISA adds MongoBleed to the KEV catalog
By 2025-12-30, CISA had added CVE-2025-14847 to its Known Exploited Vulnerabilities catalog, reflecting confirmed in-the-wild exploitation. One report said more than 80,000 servers were facing active exploitation tied to the flaw.
Dec 28, 2025
Public reporting highlights active exploitation and large exposed attack surface
By 2025-12-28, security reporting described MongoBleed as exploitable over the network without authentication and warned that mass attacks were likely as awareness increased. Subsequent reporting indicated public exploits were available and that more than 200,000 internet-exposed MongoDB instances were potentially at risk.
Dec 27, 2025
Ubisoft shuts down servers and rolls back illicit Rainbow Six Siege transactions
After the 2025-12-27 breach, Ubisoft responded by taking servers offline, rolling back unauthorized transactions, and telling players they would not be punished for spending illicitly issued credits. As of the reporting, the company had not published a full post-incident analysis or restoration timeline.
Dec 27, 2025
Ubisoft's Rainbow Six Siege breached via suspected MongoBleed exploitation
On 2025-12-27, Rainbow Six Siege suffered a major breach that allegedly exploited MongoBleed to gain backend access. Attackers distributed billions of in-game credits and items and manipulated moderation systems, with estimated impact exceeding $13 million in virtual currency.
Dec 19, 2025
Patches and mitigations released for affected MongoDB versions
Following disclosure, patched MongoDB releases were made available for affected versions, and defenders were advised to upgrade or disable zlib compression as a temporary mitigation. Guidance also recommended network segmentation and monitoring for signs of memory leakage or unusual traffic.
Dec 19, 2025
MongoBleed vulnerability disclosed in MongoDB
On 2025-12-19, CVE-2025-14847, dubbed MongoBleed, was disclosed as a critical unauthenticated memory disclosure flaw in MongoDB's handling of zlib-compressed messages. The issue affected a broad range of MongoDB versions and exposed sensitive memory contents such as credentials, tokens, and API keys.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Sources
2 more from sources like rescana blog
Related Stories
MongoBleed Vulnerability in MongoDB Exploited Against Ubisoft's Rainbow Six Siege
A critical vulnerability in MongoDB, identified as CVE-2025-14847 and dubbed 'MongoBleed,' has been publicly disclosed, with a proof-of-concept (PoC) exploit released. The flaw resides in MongoDB's use of the `zlib` compression library, allowing unauthenticated attackers to send specially crafted messages that cause the server to leak fragments of its internal memory. This memory leak can expose sensitive data such as clear-text passwords, login keys, personal information, and security tokens, all without requiring authentication. The impact of this vulnerability became immediately apparent when Ubisoft was forced to shut down its popular game, Rainbow Six Siege, after attackers exploited MongoBleed to compromise player accounts and internal systems. Thousands of gamers were locked out as a result, highlighting the real-world risks posed by the flaw. Security researchers have confirmed that multiple hacker groups are actively leveraging the PoC to target organizations using vulnerable MongoDB instances, emphasizing the urgent need for patching and mitigation.
1 months ago
Mongobleed: Critical Unauthenticated Memory Disclosure Vulnerability in MongoDB via zlib Compression
A critical unauthenticated vulnerability (CVE-2025-14847) has been discovered in MongoDB Server, specifically related to the handling of zlib-compressed network traffic. This flaw allows remote attackers with network access to a MongoDB instance configured with compression enabled to trigger the server into returning uninitialized heap memory in its responses. The leaked memory may contain sensitive data, including fragments of previously processed information, internal state, or confidential values, and no authentication is required to exploit this issue. The vulnerability affects a wide range of MongoDB versions, including 3.6.x through 8.2.x, with patches available in versions 4.4.30, 5.0.32, 6.0.27, 7.0.28, 8.0.17, and 8.2.3. The root cause lies in the way MongoDB processes malformed zlib-compressed frames, leading to a length mismatch during decompression and the inadvertent inclusion of uninitialized memory in server responses. Given MongoDB's prevalence in cloud environments and its frequent exposure to the internet, this vulnerability poses a significant risk to organizations relying on the database for sensitive data storage and application backends.
3 months ago
Critical MongoDB and Redis Flaws Expose Data and Enable Remote Code Execution
Security advisories warned of two severe database software vulnerabilities with immediate internet-facing risk. In MongoDB, an unauthenticated network attacker can trigger an information disclosure flaw—described in some reporting as **MongoBleed**—to make a vulnerable server return sensitive data such as credentials, secrets, and personal information. The issue affects MongoDB releases dating back to about 2017 and stems from insufficient validation in the `zlib` implementation, which can leak uninitialized heap memory allocated to MongoDB. Working exploitation methods are known, and defenders were told to watch for large volumes of malformed or compressed requests, decompression or memory-handling errors, and repeated unauthenticated connections. Patches are available in versions `8.2.3`, `8.0.17`, `7.0.28`, `6.0.27`, `5.0.32`, and `4.4.30`, while end-of-life branches remain unpatched. A separate advisory disclosed a **critical Redis vulnerability** affecting `8.2.1` and earlier when Lua scripting is enabled, which is the default configuration. The flaw is a use-after-free condition that can be triggered by a specially crafted Lua script and may allow **remote arbitrary code execution**, giving an attacker full control of the host running Redis. Officials urged immediate upgrades because the vulnerability is publicly known and exploitation could begin within hours, and they advised organizations to inspect any previously exposed Redis environments for signs of compromise. Fixed versions were listed as `6.2.20`, `7.2.11`, `7.4.6`, `8.0.4`, and `8.2.2`, alongside renewed guidance that Redis instances should not be exposed directly to the public internet.
1 weeks ago