SANS Stormcast Sunday, December 28th, 2025: MongoDB Unauthenticated Memory Leak CVE-2025-14847

In the December 28, 2025 Stormcast episode, Johannes Ulrich warned listeners about a critical MongoDB flaw designated CVE‑2025‑14847. The bug stems from BSON compression handling: MongoDB reports the total allocated buffer size rather than the actual used length, allowing an attacker to read uninitialized memory. This memory can contain cryptographic keys, configuration data, and other sensitive information, making the issue comparable to the historic Heartbleed vulnerability. A patch was released on December 24, and a proof‑of‑concept exploit that simply tweaks a BSON length field was published alongside it.

The episode stresses that the vulnerability is not theoretical—active exploitation is already observed against internet‑exposed MongoDB instances. Many organizations mistakenly expose NoSQL databases for convenience, especially when embedded in appliances such as UniFi controllers or other network devices. Because the exploit does not require code execution, attackers first harvest credentials and other secrets, which can later be leveraged for privilege escalation or lateral movement. The risk level escalates dramatically when MongoDB is reachable from the public internet or even from a loosely segmented internal network.

Ulrich’s remediation advice is straightforward: apply the December 24 patch immediately, verify that no MongoDB service is publicly reachable, and rotate any potentially exposed credentials. Conduct a thorough inventory of embedded MongoDB deployments, restrict access to loopback or trusted subnets, and monitor logs for anomalous BSON requests. By treating this memory disclosure as a credential‑theft vector, organizations can prevent subsequent command‑execution attacks and protect the integrity of their broader security posture.