Initiativen für
Als nationale Behörde für Cybersicherheit hat das ZCB mehrere Initiativen für bestimmte Zielgruppen entwickelt, die hier vorgestellt werden.
Warning: Active Exploitation of Critical MongoDB Vulnerability (CVE-2025-14847), PoC available; Patch Immediately!
Image
Veröffentlicht : 30/12/2025
- Last update: 30/12/2025
- Affected software: MongoDB Server
- Type: Improper Handling of Length Parameter Inconsistency
- CVE/CVSS
→ CVE-2025-14847: CVSS:8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Sources
GitHub - https://github.com/joe-desimone/mongobleed
NVD - https://nvd.nist.gov/vuln/detail/CVE-2025-14847
OX Security - https://www.ox.security/blog/attackers-could-exploit-zlib-to-exfiltrate-data-cve-2025-14847/
Risks
Threat actors are actively exploiting a critical, unauthenticated remote memory leak vulnerability in MongoDB (CVE-2025-14847). With a public Proof-of-Concept (PoC) available, the barrier to entry for exploitation is low. Immediate patching or network isolation of MongoDB instances is required to prevent the unauthorised disclosure of sensitive data, including credentials and API keys.
MongoDB is a non-relational database used across a wide range of environments. The disclosed vulnerability affects a commonly used core function and allows an attacker to leak server memory by sending specially crafted network packets. As a result, a remote attacker with network access to a vulnerable MongoDB instance can extract sensitive information without authentication.
Description
CVE-2025-14847 stems from a logic flaw in the WiredTiger storage engine’s integration with the zlib compression library. A specific function inaccurately returns the total allocated buffer size instead of the actual length of the decompressed data. By crafting a BSON document with inflated length fields in the message header, an attacker can induce the engine to allocate a memory buffer larger than needed for the payload. During decompression, the system fills the initial portion of this buffer with legitimate data but leaves the remaining "inflated" space untouched; this trailing space becomes filled with uninitialized memory that contains sensitive residual data from nearby processes. When the storage engine parses and returns this document, it unintentionally leaks the server's memory contents back to the attacker, enabling unauthorised disclosure of credentials and session information.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.