HIGH: Open MongoDB Report

DESCRIPTION LAST UPDATED: 2025-12-29

DEFAULT SEVERITY LEVEL: HIGH

This report identifies hosts that have the MongoDB NoSQL database running on port 27017/TCP and accessible on the Internet.

MONGOBLEED: We added tagging for MongoDB CVE-2025-14847. (Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client). For advisory, affected versions, and patch details see https://jira.mongodb.org/browse/SERVER-115508. This vulnerability is known exploited in the wild. Our check is version based (false positives due to backporting may be possible – if you receive a report that you believe is a false positive, please let us know). Tagged as cve-2025-14847. Severity is set to CRITICAL.[tagging added 2025-12-29]

While authentication is available for MongoDB, in many instances this authentication is not enabled. We tag MongoDB with no authentication as mongodb-noauth

  1. Our initial probe tests to see if MongoDB is accessible on the Internet and collecting the system information that it discloses.
  2. A secondary probe is then performed to determine if a list of databases can be obtained. If an error message is generated in response to this probe, the “visible_databases” field will say “none visible”, but if no error message is generated (indicating that no authentication is in use), the “visible_databases” field will list the first five databases that were returned.

For information on how to configure your MongoDB instance securely, please consult the MongoDB Security Checklist.

Track latest MongoDB exposure on our Dashboard.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

Filename(s): scan_mongodb, scan6_mongodb

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the MongoDB response came on (always TCP)
  • port
    Port that the MongoDB response came from (usually 27017/TCP)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Will always be mongodb, other tags such as mongodb-noauth or cve-2025-14847 may also be present
  • version
    MongoDB version number
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • gitversion
    Commit identifier that identifies the state of the code used to build MongoDB
  • sysinfo
    Information about the host running the MongoDB instance
  • opensslversion
    Version of OpenSSL in use (if any)
  • allocator
    Memory Allocator in use
  • javascriptengine
    The JavaScript engine in use by MongoDB
  • bits
    Processor Architecture (32 or 64 bits)
  • maxbsonobjectsize
    Maximum BSON Document Size
  • ok
    This will usually be "1", indicating that the command executed properly
  • visible_databases
    A list of the first five databases running on the instance of MongoDB — if authentication is in use, or for some other reason the list of databases could not be obtained, this will be listed as "none visible"
  • sector
    Sector the IP belongs to

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","version","asn","geo","region","city","naics","hostname_source","gitversion","sysinfo","opensslversion","allocator","javascriptengine","bits","maxbsonobjectsize","ok","visible_databases","sector"
"2010-02-10 00:00:00",high,192.168.0.1,tcp,27017,node01.example.com,mongodb,3.2.11,64512,ZZ,Region,City,0,,009580ad490190ba33d1c6253ebd8d91808923e4,deprecated,,tcmalloc,mozjs,64,16777216,1,"READ_ME_TO_RECOVER_YOUR_DATA | local | wecast",
"2010-02-10 00:00:01",high,192.168.0.2,tcp,27017,node02.example.com,mongodb,2.6.4,64512,ZZ,Region,City,0,,3a830be0eb92d772aa855ebb711ac91d658ee910,"Linux build7.nj1.10gen.cc 2.6.32-431.3.1.el6.x86_64 #1 SMP Fri Jan 3 21:39:27 UTC 2014 x86_64 BOOST_LIB_VERSION=1_49",,tcmalloc,V8,64,16777216,1,"admin | local | gamelogic",
"2010-02-10 00:00:02",high,192.168.0.3,tcp,27017,node03.example.com,mongodb,6.0.8,64512,ZZ,Region,City,0,ptr,3d84c0dd4e5d99be0d69003652313e7eaf4cdd74,deprecated,,tcmalloc,mozjs,64,16777216,1,"none visible","Communications, Service Provider, and Hosting Service"

Our 140 Report Types

« Back to Network Reporting