CISA has flagged a serious security issue affecting MongoDB Server and confirmed that it is being actively abused by attackers. The flaw has now been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, which means it is being used in real-world attacks.
About the Vulnerability – CVE-2025-14847
The issue is tracked as CVE-2025-14847 and impacts MongoDB Server. Due to a flaw in how the server processes Zlib-compressed protocol headers, attackers can read parts of system memory that should not be accessible.
The attack does not require authentication, allowing remote users to interact directly with vulnerable MongoDB instances.
Key Details
- CVE ID: CVE-2025-14847
- Affected Software: MongoDB Server
- Weakness Type: Improper handling of length values
- CWE Reference: CWE-130
- Attack Method: Unauthenticated remote access
- Impact: Exposure of uninitialized memory data
Because no login is required, attackers can target exposed MongoDB servers directly. Access to uninitialized memory may lead to leakage of sensitive information and could help attackers plan further compromise.
CISA confirmed active exploitation and added the issue to the KEV catalog on December 29, 2025, signaling elevated risk.
Under CISA’s Binding Operational Directive (BOD) 22-01, U.S. federal agencies must address the issue by January 19, 2026, either by applying fixes or stopping the use of affected systems.
Recommendations
Organizations running MongoDB Server should update to the latest patched version provided by MongoDB as soon as possible. If patching is not immediately feasible, access to MongoDB services should be restricted and closely monitored.
Security teams should review network exposure, look for unusual activity related to MongoDB services, and follow CISA guidance for known exploited vulnerabilities.
Leave A Comment