Conversation

Notices

1. Embed this notice
   Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 27-Dec-2025 01:30:43 JST Kevin Beaumont

   Merry Christmas to everybody, except that dude who works for Elastic, who decided to drop an unauthenticated exploit for MongoDB (basically MySQL) on Christmas Day, that leaks memory and automates harvesting secrets (e.g. database passwords)

   CVE-2025-14847 aka MongoBleed

   Exp: https://github.com/joe-desimone/mongobleed/blob/main/mongobleed.py

   This one is incredibly widely internet facing and will very likely see mass exploitation and impactful incidents

   Impacts every MongoDB version going back a decade.

   Shodan dork: product:"MongoDB"

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 27-Dec-2025 01:42:33 JST Kevin Beaumont

     in reply to

     The exploit is real and works, you can just run it and target specific offsets and/or keep running it until you get AWS secrets and such.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 27-Dec-2025 02:02:30 JST Kevin Beaumont

     in reply to

     I did a quick write up: https://doublepulsar.com/merry-christmas-day-have-a-mongodb-security-incident-9537f54289eb

     Rich Felker repeated this.
   • Embed this notice
     Alan Miller :verified_paw: 🇺🇦 (fencepost@infosec.exchange)'s status on Saturday, 27-Dec-2025 02:33:43 JST Alan Miller :verified_paw: 🇺🇦

     in reply to

     @GossiTheDog crappy timing but looks like it was a bit earlier than that. https://jira.mongodb.org/browse/SERVER-115508

   • Embed this notice
     buherator (buherator@infosec.place)'s status on Saturday, 27-Dec-2025 02:37:28 JST buherator

     in reply to
     @GossiTheDog Maybe you are confusing MariaDB with MongoDB in their relation to MySQL?
   • Embed this notice
     Just_Patch_It (just_patch_it@cyberplace.social)'s status on Saturday, 27-Dec-2025 02:58:44 JST Just_Patch_It

     in reply to

     @GossiTheDog who the fuck exposes a DB directly to the internet?

   • Embed this notice
     Jonathan Kamens 86 47 (jik@federate.social)'s status on Saturday, 27-Dec-2025 04:17:38 JST Jonathan Kamens 86 47

     in reply to

     @GossiTheDog I am having a bit of trouble getting worked up about this.
     The bug went public six days before Christmas. This means, frankly, that the folks who get paid to be bad actors, of which there are rather many nowadays, have had six days to figure out how to exploit it. I'm sure several of them had already figured it out before the Eclipse dude dropped the exploit.
     By making the urgency of patching this issue clear, he has arguably done a public service.

   • Embed this notice
     Ed (edbo@mastodon.social)'s status on Saturday, 27-Dec-2025 06:10:29 JST Ed

     in reply to

     @GossiTheDog Publishing an exploit on Christmas Day and not providing any info on how to detect exploitation is just the most stupid thing for a security vendor to do...

   • Embed this notice
     Drew Scott Daniels (drewdaniels@mastodon.online)'s status on Saturday, 27-Dec-2025 14:25:52 JST Drew Scott Daniels

     in reply to

     @GossiTheDog https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-14847 is a 404. I guess they assign a different CVE if one of their products based on MongoDB is affected?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 27-Dec-2025 14:34:56 JST Kevin Beaumont

     in reply to

     There’s a great blog on detecting MongoBleed exploitation via Velociraptor https://blog.ecapuano.com/p/hunting-mongobleed-cve-2025-14847

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 27-Dec-2025 14:43:28 JST Kevin Beaumont

     in reply to

     I set up a honeypot for MongoBleed on a legit MongoDB instance, yolo and all that.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Saturday, 27-Dec-2025 21:56:15 JST Rich Felker

     in reply to

     • yopp

     @alex @GossiTheDog Thank you. This is how all vuln announcements should look. Simple instructions for disabling the vector.

   • Embed this notice
     yopp (alex@feed.yopp.me)'s status on Saturday, 27-Dec-2025 21:56:17 JST yopp

     in reply to

     @GossiTheDog it would be great to add note that you don’t have to upgrade right now.

     Disabling zlib for network compression in enough to mitigate

     Either:

     a) Restart mongod/mongos with option --networkMessageCompressors=snappy,zstd
     (omit zstd on 3.6 and 4.0)

     b) Disable in mongod.conf and restart

     net:
     compression:
     # (omit `zstd` on 3.6 and 4.0)
     compressors: snappy,zstd
     

     And then plan upgrade after holidays

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 28-Dec-2025 05:50:36 JST Kevin Beaumont

     in reply to

     Just checked in on my MongoDB honeypot, it's had a few hundred MongoBleed attempts from 7 IPs so far.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 28-Dec-2025 06:01:56 JST Kevin Beaumont

     in reply to

     One of the IPs in the honeypot is a ransomware/extortion group, they are blasting the internet. I have a capture of the traffic, it's an exact match to the mongobleed.py exploit by joe (it doesn't match a normal connect as it's invalidly formatted session).

   • Embed this notice
     DJGummikuh (djgummikuh@mastodon.social)'s status on Sunday, 28-Dec-2025 06:16:59 JST DJGummikuh

     in reply to

     @GossiTheDog I am sincerely surprised you can trace back an IP to a ransomware group, I'd expect them to be more careful to protect their Identity when trying out a new exploit. I mean, essentially they're giving away their game, especially when they are iterating, since their IPs are (as can be seen) scrutinized more than other's

   • Embed this notice
     VessOnSecurity (bontchev@infosec.exchange)'s status on Sunday, 28-Dec-2025 06:58:11 JST VessOnSecurity

     in reply to

     @GossiTheDog None here. (If I understand correctly, using the exploit would generate many connections and nothing else.) Not even authentication attempts. Just a few IPs running commands (buildinfo, listDatabases, ismaster, etc.) without prior authentication.

     They seem to be looking for databases exposed to the Internet and not protected in any way? Unless something's wrong with the honeypot...

   • Embed this notice
     Drew Scott Daniels (drewdaniels@mastodon.online)'s status on Monday, 29-Dec-2025 04:01:11 JST Drew Scott Daniels

     @GossiTheDog any advice if I find any publicly exposed Azure managed MongoDB databases like cosmos db? I asked support (went to a 3rd party v- address), and they’re doing the usual delay stuff, asking for information they don’t need.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 29-Dec-2025 08:23:21 JST Kevin Beaumont

     in reply to

     • Florian Roth

     So @cyb3rops has made a MongoBleed log detection tool https://github.com/Neo23x0/mongobleed-detector

     I’ve tried it and it works on a pwned server.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 29-Dec-2025 20:17:32 JST Kevin Beaumont

     in reply to

     A Christmas lesson:

     Cyber people probably shouldn't post full chain exploits which automate stealing secrets on Christmas Day for new vulns in direct competitor products.

     I mean, people can post whatever they want.. it would just be nice to have a holiday with family, and all rather than arming teenagers.

   • Embed this notice
     SuperDicq (superdicq@minidisc.tokyo)'s status on Monday, 29-Dec-2025 23:12:32 JST SuperDicq

     in reply to

     @GossiTheDog@cyberplace.social MongoDB (basically MySQL)What the hell does that mean? Do you even know what you're talking about? MongoDB and MySQL are completely unrelated. And they are not even the same kind of database. (document store vs relational)
     
     MySQL is obviously not affected by MongoBleed.
     
     Also MongoDB is proprietary software so they deserve all the horrible exploits they get. Maybe if it was free software it would actually improve in code quality because human (and non corpo) contributors would actually start caring about it.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 30-Dec-2025 06:05:16 JST Kevin Beaumont

     in reply to

     MongoBleed’s been added to CISA KEV. https://mastodon.social/@cisakevtracker/115804868181877648

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 30-Dec-2025 06:09:25 JST Kevin Beaumont

     in reply to

     If anybody is wondering on honeypot activity, lots.

     More worrying is the real world incidents, two at large orgs I know of so far where attackers have gained access to internal DevOps systems using stolen creds used on MongoDB systems. In both cases it’s Advanced Persistent Teenagers.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 31-Dec-2025 05:32:49 JST Kevin Beaumont

     in reply to

     MongoDB have a blog out about #MongoBleed

     Notably:

     - Internal find at MongoDB

     - they notified customers of the issue and patch availability on December 23rd

     - A security vendor published technical details on December 24th, Christmas Eve

     - Somebody at Elastic, a direct competitor, published an exploit with full secret extraction feature on December 25th, Christmas Day

     That was an impossible situation for orgs - the security industry poured fire on them and set their own customers on fire.

   • Embed this notice
     Marius (windsheep) (windsheep@infosec.exchange)'s status on Wednesday, 31-Dec-2025 05:55:32 JST Marius (windsheep)

     in reply to

     @GossiTheDog If this is internal, why were they unable to wait until mid January?

   • Embed this notice
     Matt Palmer (womble@infosec.exchange)'s status on Wednesday, 31-Dec-2025 06:07:28 JST Matt Palmer

     in reply to

     @GossiTheDog I feel like there's enough data on what happens as soon as a patch drops, from what has happened every previous time, that the consequences of Mongo dropping a patch on the 23rd were pretty easy to predict.

   • Embed this notice
     Skjie (skjie@infosec.exchange)'s status on Wednesday, 31-Dec-2025 06:19:48 JST Skjie

     • Marius (windsheep)

     @GossiTheDog @windsheep so it's their first day on the internet then? This was extremely predictable, and both Mongodb and elastic look very poorly.

   • Embed this notice
     Matt Palmer (womble@infosec.exchange)'s status on Wednesday, 31-Dec-2025 07:44:06 JST Matt Palmer

     @GossiTheDog that seems like a very difficult claim to prove - CVEs don't usually come with sufficient information to be able to detect exploitation at a distance.

     In any event, the vast majority of CVEs don't have this degree of impact and ease of exploitation. The moment that this kind of vuln - pre-auth information disclosure - is known to exist, it's basically inevitable that many actors, for a variety of reasons, will seek to develop an exploit for it.