MongoBleed Emergency: 87,000 Databases Leaking Secrets as Hackers Bypass Login
U.S. and Australian cybersecurity authorities have confirmed that hackers are already exploiting a newly disclosed vulnerability in MongoDB-based data storage systems. The issue surfaced over the holiday period and quickly drew expert attention, as it opens a pathway to the leakage of sensitive information from databases.
The flaw in question is CVE-2025-14847. MongoDB disclosed it on December 15 and released a patch on December 19, but on December 25 a well-known researcher published working exploit code. From that point, events unfolded in familiar fashion: once a public exploit appears, attack attempts typically surge—and according to official warnings, that is precisely what has happened.
On December 29, CISA added the vulnerability to its catalog of actively exploited flaws and ordered U.S. federal civilian agencies to apply fixes by January 19. The agency did not specify what additional measures are being taken to protect potentially affected organizations or users. The Australian Cyber Security Centre also issued an alert, stating that it is aware of active exploitation of the vulnerability worldwide.
Researchers report that the issue affects a broad range of MongoDB database versions. The flaw has already acquired the informal name “MongoBleed,” echoing a series of high-profile vulnerabilities in recent years whose names emphasized the notion of data “leakage.”
Researcher Eric Capuano described the attack mechanics in plain terms: an attacker establishes a massive number of rapid connections to a server—potentially tens of thousands per minute. These connections probe the system for memory leaks, after which the attacker aggregates the exposed fragments to reconstruct sensitive data.
Rapid7 notes that the danger lies in the fact that, under certain conditions, the vulnerability provides a path to access that bypasses authentication mechanisms. This is especially critical for deployments that, whether through misconfiguration or oversight, are exposed to the internet. Wiz estimates that 42 percent of cloud environments contain at least one MongoDB instance running a vulnerable version, and its researchers have confirmed that many internet-accessible systems can indeed be exploited. Censys reports observing roughly 87,000 potentially vulnerable instances worldwide, while the Shadowserver Foundation cites a figure of 74,854.
According to Rapid7, the combination of widespread exposure and ease of exploitation has historically almost always led to a rapid wave of abuse. In their assessment, the most likely scenario now is not targeted, bespoke attacks, but broad automated scanning of the internet for vulnerable servers and attempts to extract as much data as possible wherever access is gained. MongoDB is used virtually everywhere—from startups and SaaS platforms to large enterprises and government agencies—so the ultimate impact depends largely on how diligently each organization patches and configures its databases.
Concerns have been further amplified by independent confirmation of active exploitation. Kevin Beaumont tested the published exploit code and reported that it can be used to extract database passwords, AWS secret keys, and other sensitive information commonly found in application memory or environment variables.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
