# CISA orders feds to patch MongoBleed flaw exploited in attacks

![](https://www.bleepstatic.com/content/hl-images/2025/01/13/CISA--headpic.jpg)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to secure their systems against a high-severity MongoDB flaw that is actively being exploited in attacks.

Dubbed  and tracked as , this vulnerability was patched , and it stems from how MongoDB Server processes network packets using the zlib library for data compression.

Successful exploitation allows unauthenticated threat actors to remotely steal credentials and other sensitive data, including API and/or cloud keys, session tokens, internal logs, and personally identifiable information (PII), through low-complexity attacks that don't require user interaction.

Elastic security researcher  has also released a proof-of-concept (PoC) exploit that leaks sensitive memory data when targeting unpatched hosts.

On Monday, Internet security watchdog  over 74,000 Internet-exposed, potentially vulnerable MongoDB instances. Censys is also tracking  that have been fingerprinted as running possibly unpatched MongoDB versions.

According to telemetry data from the cloud security platform Wiz, which also  over the weekend, the impact across the cloud environment appears significant, as 42% of visible systems "have at least one instance of MongoDB in a version vulnerable to CVE-2025-14847."

![](https://www.bleepstatic.com/images/news/u/1109292/2025/Internet-exposed%20MongoDB%20instances.jpg)*Internet-exposed MongoDB instances (Shadowserver)*

​CISA has now  and has  to its list of vulnerabilities exploited in attacks, ordering Federal Civilian Executive Branch (FCEB) agencies to patch their systems within three weeks, by January 19, 2026.

FCEB agencies are non-military U.S. executive branch agencies, including the Department of Homeland Security, the Department of the Treasury, the Department of Energy, and the Department of Health and Human Services.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned. "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."

Network defenders who can't immediately apply security patches to secure their systems are advised to  on the server.

A  that parses MongoDB logs and identifies potential CVE-2025-14847 exploitation is also available for admins who want to identify vulnerable servers on their networks.

MongoDB is an extremely popular non-relational database management system (DBMS) used by over 62,500 organizations worldwide, including dozens of Fortune 500 companies.

Broken IAM isn't just an IT problem - the impact ripples across your whole business.

This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.

	  ****
