An open-source detection tool should help organizations detect exploitation of MongoBleed (CVE-2025-14847). The critical vulnerability in MongoDB databases is being actively exploited and affects tens of thousands of servers worldwide.
The vulnerability allows attackers to extract sensitive information from the server memory without requiring authentication. Credentials, session tokens, and personal data are particularly lucrative finds for cyber attackers. Various authorities and security company Wiz are warning of active exploits.
The problem lies in MongoDB’s zlib decompression mechanism and affects versions 4.4 through 8.2.2. Wiz Research reports that 42 percent of cloud environments have at least one vulnerable MongoDB instance, including both publicly accessible and internal resources. Censys identified approximately 87,000 potentially vulnerable instances worldwide.
How the detector works
The MongoBleed Detector is an offline command-line tool that analyzes MongoDB JSON logs. The tool does not require a network connection or additional agents, making it suitable for forensic investigation and incident response.
The detection mechanism correlates three types of MongoDB log events: accepted connection (22943), client metadata (51800), and closed connection (22944). Legitimate MongoDB drivers always send metadata immediately after connecting. The MongoBleed exploit, on the other hand, connects, extracts memory, and disconnects without sending any metadata.
The tool identifies suspicious patterns based on high connection volumes from a single IP address, the absence of client metadata, and short-lived burst behavior exceeding 100,000 connections per minute. The system supports compressed logs, works with both IPv4 and IPv6, and offers four levels of risk classification: HIGH, MEDIUM, LOW, and INFO.
In addition, the tool includes a Python wrapper for remote execution via SSH. This allows security teams to scan multiple MongoDB instances simultaneously. The detector also features a forensic folder mode for analyzing evidence collected from multiple hosts.
Affected versions and patches
The vulnerability specifically affects MongoDB versions 8.2.0 to 8.2.2, 8.0.0 to 8.0.16, 7.0.0 to 7.0.27, 6.0.0 to 6.0.26, 5.0.0 to 5.0.31, and 4.4.0 to 4.4.29. All versions of MongoDB Server v4.2, v4.0, and v3.6 are also vulnerable.
Organizations running vulnerable MongoDB versions should immediately apply available patches and use the detector to investigate possible abuse. The current exploits should come as no surprise. The Dutch NCSC expected this vulnerability to be exploited quickly. For those who cannot patch immediately: disable zlib compression by explicitly omitting it from networkMessageCompressors or net.compression.compressors. Alternatives are snappy, zstd, or disabling compression entirely.
MongoDB has released patches for the affected versions: 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30. MongoDB Atlas instances have been automatically upgraded and require no action from customers. A working exploit has been publicly available since December 26, 2025, followed shortly thereafter by reports of exploitation in the wild.
Read also: Is React2Shell the new Log4Shell?