Overview
- CISA added CVE-2025-14847 to its Known Exploited Vulnerabilities catalog and ordered U.S. federal agencies to remediate by January 19, 2026.
- Scanning data shows broad exposure, with Censys observing more than 87,000 potentially vulnerable servers and Shadowserver counting nearly 75,000 unpatched public instances, while Wiz reports 42% of cloud environments have at least one affected version.
- The flaw arises from MongoDB’s zlib decompression code returning the allocated buffer size instead of the actual decompressed length, enabling unauthenticated pre‑auth leaks of in‑memory data such as passwords and API keys.
- A public proof‑of‑concept published on December 26 by Joe Desimone accelerated exploitation in the wild, prompting guidance to upgrade to 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30, with Atlas customers already auto‑patched.
- If immediate upgrades are not possible, defenders are urged to disable zlib in favor of snappy or zstd, limit network exposure, and hunt for pre‑authentication anomalies, noting that memory‑leak activity may leave minimal forensic traces; reports tying the bug to the Ubisoft breach remain unconfirmed.