430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

MongoBleed (CVE-2025-14847): the US, China, and the EU are among the top exploited GEOs

MongoBleed (CVE-2025-14847) lets attackers remotely leak memory from unpatched MongoDB servers using zlib compression, without authentication. A critical vulnerability, CVE-2025-14847 (MongoBleed), was disclosed right after Christmas, an unwelcome “gift” for the cybersecurity community, impacting MongoDB Server deployments that use zlib network compression. MongoDB is a popular open-source NoSQL database used to store and manage data […]

MongoDB MongoBleed CVE-2025-14847

MongoBleed (CVE-2025-14847) lets attackers remotely leak memory from unpatched MongoDB servers using zlib compression, without authentication.

A critical vulnerability, CVE-2025-14847 (MongoBleed), was disclosed right after Christmas, an unwelcome “gift” for the cybersecurity community, impacting MongoDB Server deployments that use zlib network compression.

MongoDB is a popular open-source NoSQL database used to store and manage data in a flexible, document-based format.

Instead of tables and rows like traditional SQL databases, MongoDB stores data as JSON-like documents (called BSON). This makes it well-suited for modern applications that need scalability, high performance, and flexible data models.

Any internet-facing MongoDB instance, whether cloud-hosted or on-premises, including production, staging, or test environments, with zlib compression enabled is potentially vulnerable.

In practice, this impacts all MongoDB versions from 3.6 onward if they have not been patched. The vulnerability can be exploited remotely and without authentication, meaning an attacker only needs network access to the MongoDB service port. As a result, both internet-exposed databases and internally accessible instances reachable through lateral movement are at risk of leaking sensitive process memory.

Based on the available telemetry, the highest number of exposed vulnerable MongoDB instances were observed in the following countries:

  • China: 16,576 exposed instances
  • United States: 14,486 exposed instances
  • Germany: 11,547 exposed instances
  • Hong Kong: 5,521 exposed instances
  • Singapore: 4,130 exposed instances
MongoDB chart 2

According to Resecurity, additional exposures were observed in India, Russia, France, Vietnam, and Indonesia, suggesting the issue is globally distributed rather than regionally isolated.

“The concentration of vulnerable MongoDB instances on large cloud and hosting providers highlights the risk of misconfiguration at scale. Attackers can rapidly enumerate and target these environments using internet-wide scanning platforms, enabling automated exploitation, data exposure, and service compromise across multiple tenants.” reads the report published by Resecurity. “The infrastructure and cloud providers hosting the highest number of affected systems.”

MongoDB chart 2

Resecurity researchers published a detailed analysis of the PoC methodology and the leaked output, along with recommendations to prevent it.

U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-14847 to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. The Australian Signals Directorate similarly warned that it is aware of active global exploitation of this vulnerability. All federal civilian executive branch agencies should remediate CVE-2025-14847 by Jan. 19, according to CISA.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)