MongoBleed scanner for admins

The highly critical security vulnerability in the MongoDB database, which became known around Christmas and has already been attacked since then, can be closed with updated software or configuration changes. However, at New Year's Eve, tens of thousands of potentially vulnerable instances were still accessible online. Investigating whether one's own servers have already been attacked and possibly even compromised has been somewhat tedious so far. This changes with a small tool by Florian Roth called "MongoBleed Detector".

MongoBleed Detector is available on Github and is maintained by the author. After updating the MongoDB server, it is recommended to examine the database with it to detect possible misuse of the MongoBleed vulnerability CVE-2025-14847.

The tool has several modes for this. In addition to log correlation, for example through connection events and missing metadata (which only occurs with a specific proof-of-concept exploit), administrators can examine snapshots using serverStatus.asserts. IT researchers have identified this as a reliable indicator of attack attempts due to a value for "user" that is several orders of magnitude higher. The analysis based on the Full-Time Diagnostic Data Capture (FTDC) MongoDB subsystem, also presented there, can finally be used as a third detection method by MongoBleed Detector.

Usable locally and remotely

The MongoBleed Detector analyzes local MongoDB data, but with a file of hosts and another script mongobleed-remote.py, it can also access and examine remote systems via SSH. Roth explains the functions and options in detail on the project's Github page.

Florian Roth is well-known in IT security circles. He also programs the tool "Thor", which can be used to examine systems for indicators of compromise (IOCs). The analysis tool is also included in the "Thor Lite" version in c't-Desinfec't.

(dmk)