Overview
- CISA added CVE-2025-14847 to its Known Exploited Vulnerabilities catalog and set a January 19, 2026 deadline for federal remediation.
- Active exploitation has been observed following a December 26 public proof-of-concept released by Elastic researcher Joe Desimone, with multiple PoCs now circulating.
- Exposure remains large, with Censys tracking about 87,000 potentially vulnerable internet-exposed instances and Shadowserver seeing roughly 74,000–75,000, while Wiz reports 42% of cloud environments include at least one vulnerable version.
- MongoDB says it discovered the bug on December 12, patched supported server releases, and auto-patched Atlas instances; self-hosted users are urged to upgrade to 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30.
- Interim guidance includes disabling zlib compression, restricting network exposure, and using log-based detection tools such as MongoBleed Detector, with investigators warning that in-memory leakage leaves limited forensic traces.