CVE-2025-14847

MongoDB Improper Handling of Length Parameter Inconsistency (CVE-2025-14847)

Initial Access Impact Last updated:

Detects exploitation attempts targeting CVE-2025-14847, an improper handling of length parameter inconsistency vulnerability (CWE-130) in MongoDB and MongoDB Server. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Attackers may craft malformed requests with inconsistent length parameters to cause unexpected server behavior, potentially leading to denial of service, data corruption, or unauthorized access.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
MongoDB
Product
MongoDB and MongoDB Server

Weakness (CWE)

CWE-130

Timeline

Disclosed
December 29, 2025

CVSS

Unscored
Write-up coming soon

What is CVE-2025-14847 MongoDB Improper Handling of Length Parameter Inconsistency (CVE-2025-14847)?

MongoDB Improper Handling of Length Parameter Inconsistency (CVE-2025-14847) (CVE-2025-14847) maps to the Initial Access and Impact tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for MongoDB Improper Handling of Length Parameter Inconsistency (CVE-2025-14847), covering the data sources and telemetry it touches: MongoDB Diagnostic Logs, Syslog, CommonSecurityLog, Azure Monitor. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Impact
Microsoft Sentinel / Defender
kusto 
union isfuzzy=true
(
  MongoDBDiagnosticLogs
  | where TimeGenerated >= ago(24h)
  | where Message has_any ("length", "BSONObj", "invalid", "assertion", "exception", "malformed")
  | where Message matches regex @"(?i)(length.*inconsisten|param.*mismatch|bson.*invalid|buffer.*overflow|assertion.*failed)"
  | project TimeGenerated, Computer, Message, Severity
),
(
  Syslog
  | where TimeGenerated >= ago(24h)
  | where ProcessName has_any ("mongod", "mongos")
  | where SyslogMessage has_any ("length", "assertion", "exception", "invalid", "malformed")
  | where SyslogMessage matches regex @"(?i)(length.*inconsisten|param.*mismatch|bson.*invalid|assertion.*failed)"
  | project TimeGenerated, Computer, ProcessName, SyslogMessage
),
(
  CommonSecurityLog
  | where TimeGenerated >= ago(24h)
  | where DestinationPort in (27017, 27018, 27019)
  | where Message has_any ("length", "malformed", "invalid", "error")
  | project TimeGenerated, DeviceVendor, SourceIP, DestinationIP, DestinationPort, Message
)
| sort by TimeGenerated desc

Detects MongoDB log entries and network traffic indicative of CVE-2025-14847 exploitation via length parameter inconsistency. Targets MongoDB diagnostic logs, syslog from mongod/mongos processes, and network flows to MongoDB ports.

high severity medium confidence

Data Sources

MongoDB Diagnostic Logs Syslog CommonSecurityLog Azure Monitor

Required Tables

MongoDBDiagnosticLogs Syslog CommonSecurityLog

False Positives

  • Legitimate MongoDB administrative operations that trigger assertion messages during maintenance windows
  • Automated backup or migration tools that interact with MongoDB on standard ports and produce verbose logging
  • MongoDB version upgrades or configuration changes that temporarily generate error messages resembling exploitation patterns
  • Load testing or performance benchmarking tools sending high volumes of requests to MongoDB ports

Sigma rule & cross-platform mapping

The detection logic for MongoDB Improper Handling of Length Parameter Inconsistency (CVE-2025-14847) (CVE-2025-14847) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  product: azure

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2025-14847 Sigma rules on detection.fyi

Platform-specific guides for CVE-2025-14847

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (3)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Send Malformed BSON Message with Inconsistent Length to MongoDB

    Expected signal: MongoDB diagnostic log should record a parse error, assertion failure, or connection reset. Network capture should show malformed wire protocol frame followed by TCP RST or server-side close.

  2. Test 2Fuzzing MongoDB Port with Length Boundary Payloads

    Expected signal: Multiple connection events on port 27017 in rapid succession, followed by MongoDB log entries for parser errors or assertion failures for each boundary value tested.

  3. Test 3Verify MongoDB Version and Patch Status

    Expected signal: MongoDB audit log (if enabled) records a connection and command execution from localhost. Authentication log shows anonymous or credential-less connection attempt.

Unlock Pro Content

Get the full detection package for CVE-2025-14847 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0040Impact

Related Techniques

T1190Exploit Public-Facing ApplicationT1499Endpoint Denial of ServiceT1005Data from Local System

Same Tactic: Initial Access

Popular Detections