Kevin BeaumontDec 26

Merry Christmas to everybody, except that dude who works for Elastic, who decided to drop an unauthenticated exploit for MongoDB on Christmas Day, that leaks memory and automates harvesting secrets (e.g. database passwords)

CVE-2025-14847 aka MongoBleed

Exp: https://github.com/joe-desimone/mongobleed/blob/main/mongobleed.py

This one is incredibly widely internet facing and will very likely see mass exploitation and impactful incidents

Impacts every MongoDB version going back a decade.

Shodan dork: product:"MongoDB"

Show threadKevin BeaumontDec 26
The exploit is real and works, you can just run it and target specific offsets and/or keep running it until you get AWS secrets and such.
Show threadKevin BeaumontDec 26
I did a quick write up: https://doublepulsar.com/merry-christmas-day-have-a-mongodb-security-incident-9537f54289eb
Merry Christmas Day! Have a MongoDB security incident.

Somebody from Elastic Security decided to post an exploit for CVE-2025–14847 on Christmas Day.

Medium
linux_girlDec 28
Show threadKevin Beaumont
There’s a great blog on detecting MongoBleed exploitation via Velociraptor https://blog.ecapuano.com/p/hunting-mongobleed-cve-2025-14847
Hunting MongoBleed (CVE-2025-14847)

Detecting CVE-2025-14847 Exploitation with Velociraptor

Eric’s Substack
Dec 27 at 5:34amWeb
Show threadKevin BeaumontDec 27
I set up a honeypot for MongoBleed on a legit MongoDB instance, yolo and all that.
Show threadKevin BeaumontDec 27
Just checked in on my MongoDB honeypot, it's had a few hundred MongoBleed attempts from 7 IPs so far.
Show threadKevin BeaumontDec 27
One of the IPs in the honeypot is a ransomware/extortion group, they are blasting the internet. I have a capture of the traffic, it's an exact match to the mongobleed.py exploit by joe (it doesn't match a normal connect as it's invalidly formatted session).
Show threadKevin BeaumontDec 28

So @cyb3rops has made a MongoBleed log detection tool https://github.com/Neo23x0/mongobleed-detector

I’ve tried it and it works on a pwned server.

GitHub - Neo23x0/mongobleed-detector: Detection Script for MongoBleed Exploitation

Detection Script for MongoBleed Exploitation. Contribute to Neo23x0/mongobleed-detector development by creating an account on GitHub.

GitHub
Show threadKevin BeaumontDec 29

A Christmas lesson:

Cyber people probably shouldn't post full chain exploits which automate stealing secrets on Christmas Day for new vulns in direct competitor products.

I mean, people can post whatever they want.. it would just be nice to have a holiday with family and all, rather than arming teenagers.

Show threadKevin BeaumontDec 29
MongoBleed’s been added to CISA KEV. https://mastodon.social/@cisakevtracker/115804868181877648
Show threadKevin BeaumontDec 29

If anybody is wondering on honeypot activity, lots.

More worrying is the real world incidents, two at large orgs I know of so far where attackers have gained access to internal DevOps systems using stolen creds used on MongoDB systems. In both cases it’s Advanced Persistent Teenagers.

Show threadKevin BeaumontDec 30

MongoDB have a blog out about #MongoBleed

Notably:

- Internal find at MongoDB

- they notified customers of the issue and patch availability on December 23rd

- A security vendor published technical details on December 24th, Christmas Eve

- Somebody at Elastic, a direct competitor, published an exploit with full secret extraction feature on December 25th, Christmas Day

That was an impossible situation for orgs - the security industry poured fire on them and set their own customers on fire.

Show threadArazilDec 30
@GossiTheDog With security vendors like that, who needs enemies? 🙄 
Show threadI love this, so IDec 30
@GossiTheDog and this right here is why I left IT security - security vendors dropping trou and taking a massive steaming shit on their competitors products while screaming LOOK AT ME IM DOING A SECURITY!!!
Show threadMatt PalmerDec 30
@GossiTheDog I feel like there's enough data on what happens as soon as a patch drops, from what has happened every previous time, that the consequences of Mongo dropping a patch on the 23rd were pretty easy to predict.
Show threadTom WestmacottDec 30
@GossiTheDog a link https://www.mongodb.com/company/blog/news/mongodb-server-security-update-december-2025 , because google wasn't helpful.
MongoDB Server Security Update, December 2025

The following is an update on the security vulnerability identified in December 2025.

MongoDB
Show threadCavDec 30
@GossiTheDog dammmmiitt
Show threadRootWyrm 🇺🇦Dec 30

@GossiTheDog

> Somebody at Elastic, a direct competitor, published an exploit with full secret extraction feature on December 25th, Christmas Day

Which means if you're doing business with Elastic, you're doing business with someone who will intentionally and deliberately risk or outright destroy their own customers for completely imagined gains.

But as we have seen, having anything resembling ethics, morals, or a conscience is treated as a 'weakness.'

Show thread Dec 31

@GossiTheDog elastic need a kicking tbh

Also which security vendor?

Show threadcognitively accessible mathDec 29
@GossiTheDog I want to hire them. Time for some Robyn Hud exploits.
Show threadVessOnSecurityDec 29
@GossiTheDog Only 9 attempts observed by my honeypot so far, with one of them giving up after only 5 consecutive connections (another tried 41 times - the maximum so far):
Show threadKevDec 29
@GossiTheDog “do unto others…”
Show threadVessOnSecurityDec 29

@kevred @GossiTheDog Maxim #13. Full stop at the end, not elipsis.

https://schlockmercenary.fandom.com/wiki/The_Seventy_Maxims_of_Maximally_Effective_Mercenaries

The Seventy Maxims of Maximally Effective Mercenaries

The Seventy Maxims of Maximally Effective Mercenaries is a popular handbook in the Schlock Mercenary universe. The book's maxims are often quoted by Tagon, as well as other characters. The following is a list of the maxims found in Schlock Mercenary, ordered by maxim number. 1. Pillage, then burn.[1] 2. A Sergeant in motion outranks a Lieutenant who doesn't know what's going on.[2] 3. An ordnance technician at a dead run outranks everybody.[3] 4. Close air support covers a multitude of...

Schlock Mercenary Wiki
Show threadKevDec 29
@bontchev never ‘eard of ‘er.
Show threadJPDec 29
@bontchev Maybe just let people post what they want…
Show threadtehfishmanDec 29

@GossiTheDog what's wild to me is the comment ratio on the GitHub issue where someone calls them out for being a dick. Maybe disproportionately edgy teens? I know there are cyber people who think this is fine, but I hope that's not representative of the broad industry stance else I'm surrounded by a lot more misanthropes than I thought

https://github.com/joe-desimone/mongobleed/issues/4

Very shitty time to release this · Issue #4 · joe-desimone/mongobleed

Very shitty time to release this. Just my 2 cents.

GitHub
Show threadDJGummikuhDec 27
@GossiTheDog I am sincerely surprised you can trace back an IP to a ransomware group, I'd expect them to be more careful to protect their Identity when trying out a new exploit. I mean, essentially they're giving away their game, especially when they are iterating, since their IPs are (as can be seen) scrutinized more than other's
Show threadLowlandsDec 29
@GossiTheDog can you share the IPs you've seen used?
Show threadJernej Simončič �Dec 27
@GossiTheDog Just saw this posted on Discord:
Show threadthe vessel of morgannaDec 27
@jernej__s @GossiTheDog lmao
Show threadlp0 on fire Dec 28
@jernej__s @GossiTheDog, the person who wrote that has been influenced by the Department of Redundancy Department: “for awhile” = “for for a while”.
Show threadHeliographDec 27
@GossiTheDog  thanks for fetching those 
Show threadVessOnSecurityDec 27

@GossiTheDog None here. (If I understand correctly, using the exploit would generate many connections and nothing else.) Not even authentication attempts. Just a few IPs running commands (buildinfo, listDatabases, ismaster, etc.) without prior authentication.

They seem to be looking for databases exposed to the Internet and not protected in any way? Unless something's wrong with the honeypot...