Cybersecurity professionals are closing out 2025 confronting yet another information-disclosure vulnerability, drawing widespread concern as threat hunters and researchers race to avoid impacts comparable to previous defects dubbed with a “bleed” suffix.
MongoBleed — CVE-2025-14847 — is a high-severity vulnerability affecting many versions of MongoDB with default configurations that allows unauthenticated attackers to leak server memory, which could contain sensitive data including credentials or tokens. MongoDB disclosed the vulnerability Dec. 19 and worries escalated when a public proof of concept was released Dec. 26.
Multiple cybersecurity firms report the vulnerability is under active exploitation in the wild, and the Cybersecurity and Infrastructure Security Agency added the defect to its known exploited vulnerabilities catalog Monday.
MongoDB is a nearly ubiquitous open-source database. Researchers at Wiz said 42% of cloud environments contain at least one instance of a MongoDB version vulnerable to CVE-2025-14847, including publicly exposed and internal resources.
Shadowserver scans found almost 75,000 possibly unpatched versions of MongoDB, out of nearly 79,000 publicly exposed instances Monday. Censys said it observed more than 87,000 potentially vulnerable instances of MongoDB on Saturday.
Countries with the highest concentration of exposed instances potentially at risk of compromise include China, the United States, Germany, France, Hong Kong, India and Singapore.
The defect, which has a CVSS rating of 8.7, is “concerning because of the scale of the install base, ease of exploitation and lack of forensic evidence left behind,” Ben Read, director of strategic threat intelligence at Wiz, told CyberScoop. “Because it’s a memory-leak vulnerability, there isn’t malware left on the disk, or any durable forensic evidence that data was accessed.”
Wiz has observed exploitation attempts and evidence of active exploitation, but hasn’t been able to attribute any of that malicious activity to a specific threat group, Read said. “We expect that it is being exploited by a wide variety of actors, based on past precedent.”
While threat hunters are on high alert, key details about attacks and the potential impact for exploitation at scale is limited.
“Real-world attack details have been oddly lacking so far,” Caitlin Condon, vice president of research at VulnCheck, told CyberScoop.
“A lot of the current public info corpus on MongoBleed seems to be assuming that because there’s public proof of concept, exploitation is trivial, but an adversary still has to be able to get useful data out of an attack flow. I’m not sure it’s actually clear yet that that’s trivial,” she added.
Yet, attacker interest in the vulnerability is growing. As of Monday, VulnCheck is tracking more than a dozen public proof of concepts, some of which appear to be valid.
MongoDB urges customers to upgrade to a patched version as soon as possible, noting that the potential impact is expansive with vulnerable versions dating back to 2017.
Downtime around the holidays may also be impacting visibility and delaying efforts to triage and hunt for evidence of compromise.
“Many security teams are likely to have reduced capacity this week, which may contribute to a longer tail on observed exploitation details and threat actor attribution,” Condon said.