Visit Baysec.eu
Featured image of post MongoBleed (CVE-2025-14847): Vulnerability Analysis and the Rainbow Six Siege Incident
Threats
RSS - Threats All RSS Feeds Share

MongoBleed (CVE-2025-14847): Vulnerability Analysis and the Rainbow Six Siege Incident

Analysis of CVE-2025-14847 (MongoBleed), a pre-auth memory disclosure vulnerability in MongoDB. Includes technical details, threat activity from our honeypots, and assessment of the alleged Rainbow Six Siege breach.

Krystian Bajno · Dorota Kwaśniewska

Table of Contents

  1. BLUF (Bottom Line Up Front)
  2. Executive Summary
  3. Key Findings
  4. Vulnerability Metrics
  5. Timeline
  6. The Rainbow Six Siege Incident
  7. Technical Details
  8. Threat Activity
  9. Recommendations
  10. Mitigations
  11. References
  12. Public PoCs

BLUF (Bottom Line Up Front)

Patch MongoDB immediately. CVE-2025-14847 allows unauthenticated attackers to extract heap memory (including credentials, tokens, and private keys) from any MongoDB instance with network compression enabled. Attackers have released public PoCs and we observe active scanning. If you cannot patch within 24 hours, disable compression. Assume credential exposure for any internet-facing instance. MongoDB Atlas is not affected. MongoDB patched all Atlas deployments before public disclosure.

Executive Summary

MongoBleed (CVE-2025-14847) exposes MongoDB servers to pre-authentication heap memory disclosure through malformed zlib-compressed protocol messages. Attackers can extract credentials, tokens, private keys, and internal database state without any authentication.

Real-world impact: On December 27, 2025, multiple threat groups targeted Ubisoft. One group injected ~$339T in-game currency via an unrelated exploit - two other groups claim to have used MongoBleed to exfiltrate source code and user data, though both claims lack evidence.

Risk: High for any internet-exposed MongoDB with network compression enabled (default on many deployments). Shodan shows 200,000+ exposed instances. MongoDB Atlas is not affected. MongoDB patched all Atlas deployments before public disclosure.

Immediate Action: Patch to fixed versions or disable network compression; restrict internet exposure; enforce authentication and TLS; monitor for anomalous OP_COMPRESSED traffic on port 27017.

Key Findings

  • Pre-auth exploitation: Attackers require no credentials; connecting to TCP/27017 with compression enabled triggers data leakage
  • Wide version impact: Vulnerability affects MongoDB versions 3.6 through 8.2 with network compression enabled
  • Active weaponization: Attackers have released 8+ PoCs on GitHub; we observe mass scanning campaigns targeting port 27017
  • Massive exposure: Shodan shows 200,000+ MongoDB instances exposed to the internet
  • Real-world incident: On December 27, 2025, multiple groups targeted Ubisoft; two claim to have used MongoBleed for data exfiltration (both claims disputed)
  • No ransomware attribution yet: We have not confirmed any ransomware victims tied to this CVE, but memory disclosures typically precede credential theft and ransomware deployment

Vulnerability Metrics

MetricValue
CVECVE-2025-14847
CWECWE-130 – Improper Handling of Length Parameter Inconsistency
CVSS 4.08.7 (High)
CVSS 4.0 VectorCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS 3.17.5 (High)
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS0.98 (98% exploitation probability)
CISA KEVNot listed (as of Dec 28, 2025)
Vendor AdvisorySERVER-115508

Timeline

DateEvent
Dec 15, 2025MongoDB releases security advisory
Dec 19, 2025NVD publishes CVE-2025-14847
Dec 23-27, 2025Release of multiple PoCs on GitHub
Dec 27, 2025Rainbow Six Siege incident begins
Dec 28, 2025Ubisoft confirms rollback, servers restored

The Rainbow Six Siege Incident

What Happened

On December 27, 2025, Ubisoft’s Rainbow Six Siege suffered a major service-impacting incident:

  • Mass currency injection: Attackers flooded player accounts with R6 Credits, Renown, and Alpha Packs
  • Ban ticker abuse: Random ban messages appeared in-game (Ubisoft confirmed that the company did not send these messages)
  • Service shutdown: Ubisoft took game servers and the marketplace offline
  • Rollback: Ubisoft rolled back all transactions after 11:00 UTC and stated it would not ban players for spending credited funds

Multi-Group Activity

According to VX-Underground, four distinct groups were involved:

  1. “Game breakers” – injected ~$339T in-game currency, disrupting both game economy and real-money revenue; attack method not publicly disclosed
  2. “Source-code thieves” – claim to have used MongoBleed to exfiltrate ~900 GB of source code; VX-Underground initially had medium-high confidence but later reported claims were exaggerated
  3. “Extortionists” – claim to have stolen user data via MongoBleed; VX-Underground reports no customer data was compromised
  4. “Accusers” – Allege Group 2 already had source code and is using this incident as excuse to leak it

Note: MongoBleed attribution is unconfirmed. Only Groups 2 and 3 claim to have used it; both claims lack evidence.

Ubisoft Response

Ubisoft has not confirmed the root cause or the source code theft claims. The company:

  • Disabled the ban ticker system
  • Initiated transaction rollback
  • Took servers offline for remediation
  • Stated it would not ban players for spending injected currency

Impact Assessment

TimeframeRisk
ImmediateService downtime, game economy rollback, reputational damage
Long-termIf source code claims are valid, there is a possibility of increased cheat/ESP/aimbot development and anti-cheat bypass attempts by players

Baysec Assessment

The timing aligns with MongoBleed’s disclosure as PoC releases happened days before the incident. However, only Groups 2 and 3 claim to have used MongoBleed; Group 1 (currency injection) used an unrelated exploit. VX-Underground later reported that both MongoBleed claims lack evidence. Ubisoft has not confirmed any attribution. We treat the MongoBleed connection as unverified.

Organizations with similar MongoDB exposure should treat this as a warning case.

Technical Details

Protocol: MongoDB wire protocol, TCP/27017 (OP_COMPRESSED frames / zlib)

Exploitation requirements:

  1. Attacker can reach MongoDB instance on network
  2. Server has compression enabled
  3. Attack requires no authentication

How It Works

MongoBleed exploits a length parameter inconsistency in MongoDB’s zlib compression handler. When an attacker sends malformed OP_COMPRESSED frames with mismatched length fields, the server returns adjacent heap memory instead of rejecting the payload.

Affected Versions

BranchVulnerableFixed
8.2< 8.2.38.2.3+
8.0< 8.0.178.0.17+
7.0< 7.0.287.0.28+
6.0< 6.0.276.0.27+
5.0< 5.0.325.0.32+
4.4< 4.4.304.4.30+
4.2All versionsNo patch available
4.0All versionsNo patch available
3.6All versionsNo patch available

MongoDB Atlas: Not affected. MongoDB patched all Atlas deployments before public disclosure. Only self-managed installations require action.

MITRE ATT&CK Mapping

TechniqueIDDescription
Exploit Public-Facing ApplicationT1190Attackers exploit MongoDB instances exposed to internet
Unsecured CredentialsT1552Memory disclosure leaks credentials from server heap
Network Service DiscoveryT1046Mass scanning for port 27017

Threat Activity

Exploitation Status

Attackers have already released public PoCs and are quickly turning them into active scanning tools. Several security vendors are urging immediate patching. Since the vulnerability can be exploited pre-authentication and requires little effort, it’s likely to be incorporated into crimeware toolkits soon.

Internet Exposure (Shodan)

MetricValue
Exposed MongoDB instances201,887
Top countriesUSA, Netherlands, China, Germany
Vulnerable versions observed8.0.15, 7.0.5, 5.0.28, 4.0.9

Baysec Honeypot Data (Last 24h)

Our honeypot recorded 58 events targeting port 27017:

Attacker IPCountryLast ActivityAttack Type
68.183.138.35USA (New Jersey)2025-12-28 09:20:26TCP SYN → port 27017
91.230.168.166Private/Reserved2025-12-28 08:43:29TCP SYN → port 27017
142.93.192.62USA (New Jersey)2025-12-28 06:12:44TCP SYN → port 27017

Suricata Alerts:

  • ET CINS Active Threat Intelligence Poor Reputation IP group 190 (146.88.241.153)
  • ET DROP Dshield Block Listed Source group 1 (91.230.168.166)
  • ET CINS Active Threat Intelligence Poor Reputation IP group 115 (91.230.168.166)

Ransomware

We have not identified any ransomware victims linked to CVE-2025-14847 so far. However, attackers who use memory disclosure flaws to harvest credentials often follow up with ransomware deployment. We are continuing to monitor the situation.

Recommendations

  1. Inventory all MongoDB instances including development, staging, production, and test environments
  2. Prioritize patching based on internet exposure and data sensitivity
  3. Disable compression in MongoDB if can’t patch
  4. Assume credential exposure if unpatched
  5. Rotate secrets including database users, application secrets, API tokens, and session keys
  6. Review network logs for unusual traffic patterns to port 27017 from unfamiliar sources

Mitigations

Patching

Upgrade to fixed versions:

  • MongoDB 8.2.3+
  • MongoDB 8.0.17+
  • MongoDB 7.0.28+
  • MongoDB 6.0.27+
  • MongoDB 5.0.32+
  • MongoDB 4.4.30+

Temporary Workaround

Disable network compression if patching requires delay:

1
2
3

net:
  compression:
    compressors: "none"

Network Hardening

  • Remove direct internet exposure
  • Enforce IP allowlists, VPN, or privileged network segments
  • Require SCRAM authentication and TLS for all connections

Detection Indicators

  • Spikes in OP_COMPRESSED traffic to port 27017 from unfamiliar IPs
  • Large response payloads to small compressed requests
  • Scanning activity from new ASNs targeting 27017
  • Connections from IPs listed above (Baysec honeypot data)

Incident Response

Assume attackers leaked in-memory secrets. Rotate database users, application secrets, and session tokens. Review egress logs for data staging to unfamiliar hosts.

References

Official Advisory

Vendor/Research Analysis

Incident Reporting

Public PoCs

Warning: Verify all PoC code before execution. Threat actors actively distribute malware through fake exploit repositories on GitHub, targeting security researchers with lures for recent CVEs. In December 2025, we observed campaigns distributing Webrat RAT through weaponized PoC repos. Review code manually, run in isolated environments, and cross-reference with trusted sources. See our December 2025 Threats Summary for details.