The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning about the active exploitation of CVE-2025-14847, a severe vulnerability affecting MongoDB and MongoDB Server.
The flaw was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on December 29, 2025, signaling that threat actors are actively targeting this security weakness in real-world attacks.
Vulnerability Overview
CVE-2025-14847 is an improper handling of length parameter inconsistency vulnerability in the Zlib-compressed protocol headers of the MongoDB Server.
This critical flaw enables unauthenticated attackers to remotely read uninitialized heap memory, potentially exposing sensitive information stored in server memory without requiring any authentication credentials.
The vulnerability is classified under CWE-130, which involves improper handling of length parameters inconsistent with actual data.
The severity of this vulnerability lies in its accessibility attackers can exploit it without authentication, making MongoDB deployments exposed to the internet particularly vulnerable.
Uninitialized heap memory may contain sensitive data, such as database credentials, session tokens, encryption keys, or confidential business information, that was left in memory from previous operations.
CISA’s addition of CVE-2025-14847 to the KEV catalog confirms that cybercriminals are actively exploiting this vulnerability in the wild.
While it remains unknown whether the flaw has been incorporated into ransomware campaigns, the active exploitation status demands immediate attention from organizations running MongoDB infrastructure.
Federal agencies and organizations must implement mitigations by January 19, 2026, according to CISA’s Binding Operational Directive (BOD) 22-01.
Organizations should immediately apply security patches and updates released by MongoDB, following the vendor’s instructions.
For cloud-based MongoDB deployments, administrators should follow the applicable BOD 22-01 guidance for cloud services.
If mitigations or patches are unavailable, CISA recommends discontinuing use of the affected product until proper security measures can be implemented.
Organizations should prioritize patching internet-facing MongoDB instances and conduct thorough security assessments to identify potentially compromised systems.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.