Automated extortion campaign targeting exposed MongoDB instances
Campaign
Summary
Hide ▲
Show ▼
A threat actor is running an active extortion campaign against exposed MongoDB instances, compromising roughly 1,400 servers and leaving ransom notes to pressure owners into paying. The operation relies on database wiping and low-ransom demands of about 0.005 BTC within 48 hours, making unsecured database exposure immediately risky. The broader exposure surface is large, with more than 208,500 MongoDB servers visible online and thousands accessible without authentication.
Related Happenings
Rising encryptionless extortion incidents against enterprises in 2025
Target Trend
First: 15.01.2026 17:45
Last: 15.01.2026 17:45
Sources 1
About this happening:
**Encryptionless extortion** surged in **2025** as attackers increasingly skipped ransomware encryption and instead stole data to pressure victims across **enterprise environments...
Rising encryptionless extortion incidents against enterprises in 2025
Target TrendAbout this happening: **Encryptionless extortion** surged in **2025** as attackers increasingly skipped ransomware encryption and instead stole data to pressure victims across **enterprise environments...
MongoDB CVE-2025-14847 active exploitation worldwide
Exploitation Wave
First: 29.12.2025 09:49
Last: 29.12.2025 09:49
Sources 1
About this happening:
**CVE-2025-14847** is being **actively exploited** against **MongoDB** deployments, putting a global pool of **87,000+** potentially susceptible instances at risk. The wave matter...
MongoDB CVE-2025-14847 active exploitation worldwide
Exploitation WaveAbout this happening: **CVE-2025-14847** is being **actively exploited** against **MongoDB** deployments, putting a global pool of **87,000+** potentially susceptible instances at risk. The wave matter...
MongoDB Server improper length parameter handling RCE (CVE-2025-14847)
Vulnerability
First: 24.12.2025 16:18
Last: 24.12.2025 16:18
Sources 1
About this happening:
**MongoDB** warned admins to immediately patch **CVE-2025-14847**, a **high-severity RCE** flaw affecting vulnerable **MongoDB Server** versions. The weakness can be abused by **u...
MongoDB Server improper length parameter handling RCE (CVE-2025-14847)
VulnerabilityAbout this happening: **MongoDB** warned admins to immediately patch **CVE-2025-14847**, a **high-severity RCE** flaw affecting vulnerable **MongoDB Server** versions. The weakness can be abused by **u...
Latest development: 30.12.2025 16:40
CISA confirmed Wiz's report that CVE-2025-14847, also called MongoBleed, is being exploited in attacks and added the flaw to its exploited-in-attacks list. The agency ordered Federal Civilian Executive Branch agencies to patch affected MongoDB systems within three weeks, by January 19, 2026, and told defenders to disable zlib compression if they cannot apply fixes immediately.
Timeline
-
01.02.2026 18:27 2 articles · 3mo ago
Exposed MongoDB instances targeted in automated extortion campaign
Initial DisclosureA threat actor is targeting exposed MongoDB instances in automated data extortion attacks, with Flare saying about 1,400 exposed servers were compromised and ransom notes typically demanded 0.005 BTC within 48 hours. Flare also found more than 208,500 publicly exposed MongoDB servers, including 3,100 accessible without authentication, and reported that 45.6% of unrestricted instances had already been compromised while nearly half of exposed servers ran older versions vulnerable to n-day flaws.
Show sources
- Exposed MongoDB instances still targeted in data extortion attacks — www.bleepingcomputer.com — 01.02.2026 18:27
- Exposed MongoDB instances still targeted in data extortion attacks — www.bleepingcomputer.com — 01.02.2026 18:27