Mastodawn

Merry Christmas to everybody, except that dude who works for Elastic, who decided to drop an unauthenticated exploit for MongoDB on Christmas Day, that leaks memory and automates harvesting secrets (e.g. database passwords)

CVE-2025-14847 aka MongoBleed

Exp: https://github.com/joe-desimone/mongobleed/blob/main/mongobleed.py

This one is incredibly widely internet facing and will very likely see mass exploitation and impactful incidents

Impacts every MongoDB version going back a decade.

Shodan dork: product:"MongoDB"

Show thread

Kevin Beaumont Dec 26

The exploit is real and works, you can just run it and target specific offsets and/or keep running it until you get AWS secrets and such.

Show thread

Kevin Beaumont Dec 26

I did a quick write up: https://doublepulsar.com/merry-christmas-day-have-a-mongodb-security-incident-9537f54289eb

Merry Christmas Day! Have a MongoDB security incident.

Somebody from Elastic Security decided to post an exploit for CVE-2025–14847 on Christmas Day.

Medium

Show thread

Kevin Beaumont Dec 27

There’s a great blog on detecting MongoBleed exploitation via Velociraptor https://blog.ecapuano.com/p/hunting-mongobleed-cve-2025-14847

Hunting MongoBleed (CVE-2025-14847)

Detecting CVE-2025-14847 Exploitation with Velociraptor

Eric’s Substack

Show thread

Kevin Beaumont Dec 27

I set up a honeypot for MongoBleed on a legit MongoDB instance, yolo and all that.

Show thread

Kevin Beaumont Dec 27

Just checked in on my MongoDB honeypot, it's had a few hundred MongoBleed attempts from 7 IPs so far.

Show thread

Jernej Simončič �Dec 27

@GossiTheDog Just saw this posted on Discord:

Show thread

lp0 on fire

@jernej__s @GossiTheDog, the person who wrote that has been influenced by the Department of Redundancy Department: “for awhile” = “for for a while”.