Executive Summary

Exposed MongoDB instances continue to be a prime target for automated data extortion attacks, with threat actors leveraging both misconfiguration and unpatched vulnerabilities to compromise databases at scale. Despite years of industry warnings and repeated high-profile incidents, recent threat intelligence and OSINT confirm that thousands of MongoDB databases remain accessible on the public internet, often lacking authentication or running outdated, vulnerable versions. Attackers exploit these exposures by wiping databases and leaving ransom notes demanding cryptocurrency payments for restoration, though there is no evidence that data is ever actually returned. This advisory provides a comprehensive technical analysis of the latest attack trends, threat actor tactics, techniques, and procedures (TTPs), exploitation methods, and actionable recommendations for Rescana customers.

Threat Actor Profile

The current wave of MongoDB extortion attacks is characterized by opportunistic, highly automated threat actors rather than sophisticated advanced persistent threat (APT) groups. Analysis of ransom note Bitcoin wallet reuse, as reported by Flare Security and corroborated by BleepingComputer, suggests that a single dominant actor or closely coordinated group is responsible for the vast majority of incidents, with one wallet address appearing in 98% of cases. These actors operate globally, indiscriminately targeting any exposed MongoDB instance they can discover via internet-wide scanning tools such as Shodan. There is no evidence of targeted campaigns against specific industries or organizations, nor of advanced post-exploitation activity beyond data exfiltration and destruction. The attackers’ primary motivation is financial gain through extortion, and their operations are optimized for scale and speed rather than stealth or persistence.

Technical Analysis of Malware/TTPs

The attack chain begins with automated reconnaissance, using tools like Shodan, Censys, or custom scripts to identify MongoDB instances with open network access, typically on TCP port 27017. Once a target is identified, the attacker attempts unauthenticated access. If successful, the attacker enumerates available databases and collections, exfiltrates data (if desired), and then issues commands to drop or overwrite the data. A ransom note is inserted, usually as a new collection or document, containing instructions to pay a specified amount of Bitcoin (commonly 0.005 BTC, or approximately $500–$600 USD) to a provided wallet address within 48 hours to allegedly restore the data.

Recent campaigns have also exploited n-day vulnerabilities in outdated MongoDB versions, most notably CVE-2025-14847 ("MongoBleed") and CVE-2024-3372. MongoBleed is a critical memory leak vulnerability in the zlib compression library used by MongoDB, allowing unauthenticated attackers to extract uninitialized heap memory, potentially exposing sensitive data. CVE-2024-3372 enables denial of service via improper metadata validation. However, the overwhelming majority of successful attacks still result from misconfiguration—specifically, the absence of authentication and unrestricted network exposure.

Indicators of compromise (IOCs) include the presence of ransom note documents or collections, often with standardized text and Bitcoin wallet addresses, as well as evidence of mass data deletion or overwriting. The attack is typically completed within minutes of initial access, and there is no evidence that attackers retain backups or honor ransom payments.

Exploitation in the Wild

According to Flare Security’s 2026 research, over 208,500 MongoDB servers were found exposed to the public internet, with 3,100 accessible without authentication and 100,000 leaking operational information. Nearly half (45.6%) of unauthenticated instances had already been compromised and wiped, with ransom notes left behind. These attacks are ongoing, with hundreds of new victims each month. Notably, some organizations have paid the ransom, but there is no verifiable evidence that data restoration occurs. The attacks are indiscriminate, affecting organizations of all sizes and sectors, and are often accompanied by irreversible data loss due to the lack of reliable backups.

The exploitation of MongoBleed (CVE-2025-14847) has been observed in the wild, with attackers leveraging the vulnerability to leak sensitive memory contents from unpatched MongoDB servers. Both Community and Enterprise editions are affected, specifically versions 8.2.0 through 8.2.3, 8.0.0 through 8.0.16, and 7.0.0 through 7.0.27. The combination of misconfiguration and unpatched vulnerabilities significantly increases the attack surface and risk of compromise.

Victimology and Targeting

Victims of these extortion campaigns span a wide range of industries, including healthcare, finance, retail, education, and government. The common denominator is the presence of an exposed MongoDB instance, regardless of organizational size or sector. Attackers do not discriminate based on geography or industry vertical; instead, they rely on automated scanning to identify and compromise any accessible target. The impact is often severe, with complete data loss and operational disruption, particularly for organizations lacking robust backup and recovery processes. Publicly accessible MongoDB instances running outdated versions are at the highest risk, especially those without authentication or with default credentials.

Mitigation and Countermeasures

To mitigate the risk of MongoDB extortion attacks, organizations must implement a multi-layered defense strategy. First and foremost, do not expose MongoDB instances to the public internet unless absolutely necessary. Enforce strong authentication and access controls, and restrict network access using firewalls, VPNs, or network segmentation. Regularly update MongoDB to the latest version to address known vulnerabilities, including CVE-2025-14847 and CVE-2024-3372. Monitor for the presence of ransom notes, suspicious access patterns, and unauthorized configuration changes. Immediately rotate credentials and review access logs if exposure is detected. Establish and routinely test comprehensive backup and restoration procedures to ensure data can be recovered in the event of compromise. Leverage threat intelligence feeds and vulnerability management platforms to stay informed of emerging threats and best practices.

References

BleepingComputer: Exposed MongoDB instances still targeted in data extortion attacks

Akamai: CVE-2025-14847: All You Need to Know About MongoBleed

Wiz: MongoBleed CVE-2025-14847 exploited in the wild

cyber.gov.au: Vulnerability in MongoDB product

SentinelOne: CVE-2024-3372: MongoDB Server DoS Vulnerability

Flare Security Research: Flare Blog

MongoDB Security Best Practices: MongoDB Security

Shodan: MongoDB Exposure Search

About Rescana

Rescana empowers organizations to proactively manage third-party cyber risk with a comprehensive TPRM platform that delivers actionable intelligence, continuous monitoring, and automated risk assessment workflows. Our platform enables security teams to identify, prioritize, and remediate vulnerabilities across their digital supply chain, ensuring robust protection against evolving threats. For more information or to discuss your organization’s risk posture, we are happy to answer questions at ops@rescana.com.