The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive ordering federal agencies to patch a high-severity MongoDB vulnerability that is being actively exploited in the wild.
The flaw, tracked as CVE-2025-14847 and widely known as MongoBleed, affects a wide range of MongoDB Server versions and allows attackers to leak sensitive memory data remotely without authentication.
CISA has now added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating all Federal Civilian Executive Branch (FCEB) agencies to secure affected systems by January 19, 2026.
What Is MongoBleed?
MongoBleed is a memory leak vulnerability that stems from a weakness in how MongoDB handles network messages compressed using the zlib library. By sending specially crafted requests, an unauthenticated attacker can cause a vulnerable MongoDB server to return uninitialized heap memory.
That leaked memory may contain highly sensitive information, including usernames and passwords, API and cloud keys, session tokens, internal logs, and personally identifiable information (PII). The vulnerability is particularly dangerous because it requires no valid credentials and can be exploited remotely with minimal effort.
Security researcher Joe Desimone of Elastic released a public proof-of-concept (PoC) exploit in late December, demonstrating how attackers can extract sensitive data from unpatched MongoDB servers.
Tens of thousands Of Servers Exposed
Internet monitoring groups report widespread exposure. The Shadowserver Foundation reports more than 74,000 internet-exposed MongoDB instances that appear vulnerable, while Censys estimates that over 87,000 IP addresses worldwide may still be unpatched.
The Shadowserver Foundation reports more than 74,000 internet-exposed MongoDB instances that appear vulnerable, while Censys is tracking over 87,000 potentially unpatched systems worldwide. The majority of exposed servers are located in the United States, China, Germany, France, Hong Kong, Singapore, and India.
“A working exploit has been publicly available since December 26, 2025, with initial reporting of exploitation in the wild reported shortly after,” cybersecurity firm Wiz said in a blog post published on Sunday. While complete details of ongoing attacks remain limited, some researchers have linked MongoBleed to recent disruptions affecting Ubisoft’s Rainbow Six Siege infrastructure.
Who Is Affected?
The vulnerability spans almost ten years’ worth of MongoDB releases, impacting versions ranging from 3.6 to 8.2. MongoDB has since issued patches for all supported branches, including versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30.
Cloud-hosted MongoDB Atlas deployments have already been patched automatically, but organizations running self-hosted MongoDB servers must apply updates manually. Older, end-of-life versions such as MongoDB 3.6, 4.0, and 4.2 have no fixes available, leaving migration as the only safe option.
CISA’s Warning And Next Steps
FCEB agencies — which include departments such as Homeland Security, Treasury, Energy, and Health and Human Services — are now required to remediate the flaw under Binding Operational Directive 22-01.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA warned. The agency urged administrators to apply vendor patches immediately or discontinue use of the affected product if mitigations are unavailable.
For organizations that cannot patch immediately, CISA recommends disabling zlib compression as a temporary mitigation, which removes the vulnerable code path; however, this may affect performance. Administrators can also use newly released detection tools that analyze MongoDB logs for signs of attempted exploitation.
A Broader Wake-up Call
MongoDB is one of the world’s most widely used NoSQL databases, powering applications across various industries, including gaming, finance, cloud services, analytics, and IoT. Security experts say the rapid spread of scanning and exploitation activity highlights the need for faster patching, reduced exposure of databases to the public internet, and stronger monitoring of critical infrastructure.
While CISA’s order applies only to U.S. federal agencies, cybersecurity experts say private organizations should treat MongoBleed with the same urgency. With tens of thousands of servers still exposed, unpatched MongoDB systems remain prime targets for data theft and broader network compromise.
