US, Canadian, and Australian cyber agencies are warning that hackers are actively exploiting a recently disclosed vulnerability affecting MongoDB data storage systems.
The issue is CVE-2025-14847, a flaw MongoDB disclosed on December 15 and patched on December 19. On December 25, working exploit code was published. The bug, dubbed “MongoBleed,” allows attackers to rapidly open tens of thousands of connections to a server to probe for memory leaks and reconstruct sensitive data.
The US Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its catalog of known exploited vulnerabilities. Australia’s Cyber Security Centre has also confirmed “active global exploitation” of the vulnerability, which affects multiple versions of MongoDB’s database management system.
According to cybersecurity firm Wiz, 42% of cloud environments contain at least one vulnerable MongoDB instance, while Censys and the Shadowserver Foundation identified roughly 87,000 and 74,854 potentially exposed systems worldwide, respectively. Rapid7 warned that the combination of large-scale exposure and weak access controls could lead to rapid, opportunistic abuse rather than targeted nation-state attacks.
Cybersecurity expert Kevin Beaumont said he tested the exploit code over the weekend, confirming it could be used to steal database passwords, AWS secret keys, and other sensitive information.
