Somebody from Elastic Security decided to post an exploit for CVE-2025–14847 on Christmas Day.

Here’s said exploit:

GitHub - joe-desimone/mongobleed

The vuln, which dropped just before Christmas, in theory allowed memory read without authentication. Patches are available. It impacts every version of MongoDB going back about a decade.

Another vendor decided it would be a great idea to post technical details on Christmas Eve:

https://www.ox.security/blog/attackers-could-exploit-zlib-to-exfiltrate-data-cve-2025-14847/

The exploit dropped yesterday and is the first public exploit. It’s dubbed MongoBleed, a la CitrixBleed.

I’ve validated said exploit is real, you can just supply an IP address of a MongoDB instance and it’ll start ferreting out in memory things such as database passwords (which are plain text), AWS secret keys etc. The exploit specifically looks for those class of credentials and secrets, too.

The internet footprint of MongoDB is very large, over 200k instances.

Because of how simple this is now to exploit — the bar is removed — expect high likelihood of mass exploitation and related security incidents. The exploit author has provided no details on how to detect exploitation in logs via products like.. Elastic.

Advice would be to keep calm and patch internet facing assets.

Merry Christmas Day! Have a MongoDB security incident. was originally published in DoublePulsar on Medium, where people are continuing the conversation by highlighting and responding to this story.