Kevin BeaumontDec 26

Merry Christmas to everybody, except that dude who works for Elastic, who decided to drop an unauthenticated exploit for MongoDB on Christmas Day, that leaks memory and automates harvesting secrets (e.g. database passwords)

CVE-2025-14847 aka MongoBleed

Exp: https://github.com/joe-desimone/mongobleed/blob/main/mongobleed.py

This one is incredibly widely internet facing and will very likely see mass exploitation and impactful incidents

Impacts every MongoDB version going back a decade.

Shodan dork: product:"MongoDB"

Show threadKevin BeaumontDec 26
The exploit is real and works, you can just run it and target specific offsets and/or keep running it until you get AWS secrets and such.
Show threadKevin BeaumontDec 26
I did a quick write up: https://doublepulsar.com/merry-christmas-day-have-a-mongodb-security-incident-9537f54289eb
Merry Christmas Day! Have a MongoDB security incident.

Somebody from Elastic Security decided to post an exploit for CVE-2025–14847 on Christmas Day.

Medium
Show threadKevin BeaumontDec 27
There’s a great blog on detecting MongoBleed exploitation via Velociraptor https://blog.ecapuano.com/p/hunting-mongobleed-cve-2025-14847
Hunting MongoBleed (CVE-2025-14847)

Detecting CVE-2025-14847 Exploitation with Velociraptor

Eric’s Substack
Show threadKevin BeaumontDec 27
I set up a honeypot for MongoBleed on a legit MongoDB instance, yolo and all that.
Show threadKevin BeaumontDec 27
Just checked in on my MongoDB honeypot, it's had a few hundred MongoBleed attempts from 7 IPs so far.
Show threadKevin BeaumontDec 27
One of the IPs in the honeypot is a ransomware/extortion group, they are blasting the internet. I have a capture of the traffic, it's an exact match to the mongobleed.py exploit by joe (it doesn't match a normal connect as it's invalidly formatted session).
Show threadKevin BeaumontDec 28

So @cyb3rops has made a MongoBleed log detection tool https://github.com/Neo23x0/mongobleed-detector

I’ve tried it and it works on a pwned server.

GitHub - Neo23x0/mongobleed-detector: Detection Script for MongoBleed Exploitation

Detection Script for MongoBleed Exploitation. Contribute to Neo23x0/mongobleed-detector development by creating an account on GitHub.

GitHub
Show threadKevin BeaumontDec 29

A Christmas lesson:

Cyber people probably shouldn't post full chain exploits which automate stealing secrets on Christmas Day for new vulns in direct competitor products.

I mean, people can post whatever they want.. it would just be nice to have a holiday with family and all, rather than arming teenagers.

Show threadKev
@GossiTheDog “do unto others…”
Dec 29 at 11:18amIceCubesApp
Show threadVessOnSecurityDec 29

@kevred @GossiTheDog Maxim #13. Full stop at the end, not elipsis.

https://schlockmercenary.fandom.com/wiki/The_Seventy_Maxims_of_Maximally_Effective_Mercenaries

The Seventy Maxims of Maximally Effective Mercenaries

The Seventy Maxims of Maximally Effective Mercenaries is a popular handbook in the Schlock Mercenary universe. The book's maxims are often quoted by Tagon, as well as other characters. The following is a list of the maxims found in Schlock Mercenary, ordered by maxim number. 1. Pillage, then burn.[1] 2. A Sergeant in motion outranks a Lieutenant who doesn't know what's going on.[2] 3. An ordnance technician at a dead run outranks everybody.[3] 4. Close air support covers a multitude of...

Schlock Mercenary Wiki
Show threadKevDec 29
@bontchev never ‘eard of ‘er.
Show threadJPDec 29
@bontchev Maybe just let people post what they want…