Overview
- A public proof‑of‑concept released on December 26 is being used in the wild to siphon credentials, cloud keys, and other data from exposed MongoDB instances.
- Censys observed more than 87,000 potentially vulnerable servers online as of December 27, with the largest counts in the United States, China, and Germany.
- Wiz reported that 42% of cloud environments include at least one MongoDB instance running a vulnerable version, extending risk beyond internet‑exposed systems.
- Vendor fixes have been available since December 19 across supported and legacy branches, and MongoDB Atlas was patched automatically with no customer action required.
- If immediate upgrades are not possible, guidance urges disabling zlib compression, restricting network exposure, and reviewing logs using methods and tools shared by Eric Capuano and Florian Roth.