MongoBleed: Over 11,500 Vulnerable MongoDB Instances in Germany
IT security researchers have investigated the spread of instances vulnerable to MongoBleed. In Germany, there are over 11,500.
(Image: JLStock/Shutterstock.com)
IT admins are not getting any rest “between the years”. On Christmas, a highly critical security vulnerability in MongoDB nicknamed “MongoBleed” became known, through which attackers from the network can obtain access credentials without prior authentication, reminiscent of the „CitrixBleed“ disaster at the end of 2023. Tens of thousands of systems worldwide are currently still vulnerable – and Germany lands in an unenviable third place with more than 11,500 vulnerable instances.
This is reported by IT security researchers from Resecurity in a blog post. After proof-of-concept code for exploiting the vulnerability CVE-2025-14847 (CVSS 8.7, risk "high") became publicly available, mass attacks are to be expected. All the more serious is that Resecurity, using the Shodan database, found almost 90,000 instances worldwide when searching for MongoDB instances reporting with vulnerable versions.
The most vulnerable systems are in China, with Shodan finding 16,576 there on Tuesday of this week. The USA follows in second place with 14,486 vulnerable instances, and Germany is already in third place with 11,547 attackable and network-accessible MongoDB servers. Further down the list is Hong Kong, where still 5,521 vulnerable MongoDBs can be found.
German Provider Leads Worldwide
Germany is particularly striking in its distribution by providers. Hetzner Online GmbH ranks first worldwide, hosting 6,828 vulnerable MongoDB servers. Only then follows Alibaba Cloud (Aliyun) with 6,226 attackable instances. Other well-known providers like Google land in fifth place with 3,364 exposed, vulnerable MongoDB servers.
Videos by heise
Resecurity mentions one limitation: to be vulnerable, zlib compression must be enabled – which, however, according to IT security researchers, is often the default configuration. Admins should update vulnerable instances to a secure software version at the latest now; MongoDB is available in versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30 and newer. Older versions have reached end-of-life and will no longer receive patches. Those who cannot update immediately should, according to Resecurity, temporarily disable zlib compression as a countermeasure or switch to an alternative compression, and restrict access to the MongoDB network port (default 27017) using firewalls or VPNs, for example.
(dmk)
