CVE-2025-14847 IBM QRadar · QRadar

Detect MongoDB Improper Handling of Length Parameter Inconsistency (CVE-2025-14847) in IBM QRadar

Detects exploitation attempts targeting CVE-2025-14847, an improper handling of length parameter inconsistency vulnerability (CWE-130) in MongoDB and MongoDB Server. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Attackers may craft malformed requests with inconsistent length parameters to cause unexpected server behavior, potentially leading to denial of service, data corruption, or unauthorized access.

MITRE ATT&CK

Tactic
Initial Access Impact

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  destinationport,
  logsourcename(logsourceid) AS log_source,
  UTF8(payload) AS raw_payload,
  QIDNAME(qid) AS event_name
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('MongoDB', 'Linux Syslog', 'Universal DSM')
  AND (
    UTF8(payload) ILIKE '%length%inconsisten%'
    OR UTF8(payload) ILIKE '%BSONObj%invalid%'
    OR UTF8(payload) ILIKE '%assertion%failed%'
    OR UTF8(payload) ILIKE '%malformed%request%'
    OR (destinationport IN (27017, 27018, 27019) AND UTF8(payload) ILIKE '%error%')
  )
  AND LOGSOURCETYPENAME(devicetype) ILIKE '%mongo%'
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LIMIT 1000
high severity medium confidence

QRadar AQL query targeting MongoDB log sources and network events to identify length parameter inconsistency patterns associated with CVE-2025-14847 exploitation.

Data Sources

MongoDB DSMLinux SyslogNetwork Flow

Required Tables

events

False Positives & Tuning

  • Legitimate MongoDB replication traffic on standard ports generating benign error payloads
  • MongoDB Atlas or cloud connector traffic that produces verbose error messages during synchronization
  • Custom application-layer health checks targeting MongoDB ports that trigger error responses
  • MongoDB log rotation or compaction operations producing assertion-like log entries

Other platforms for CVE-2025-14847

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Send Malformed BSON Message with Inconsistent Length to MongoDB

    Expected signal: MongoDB diagnostic log should record a parse error, assertion failure, or connection reset. Network capture should show malformed wire protocol frame followed by TCP RST or server-side close.

  2. Test 2Fuzzing MongoDB Port with Length Boundary Payloads

    Expected signal: Multiple connection events on port 27017 in rapid succession, followed by MongoDB log entries for parser errors or assertion failures for each boundary value tested.

  3. Test 3Verify MongoDB Version and Patch Status

    Expected signal: MongoDB audit log (if enabled) records a connection and command execution from localhost. Authentication log shows anonymous or credential-less connection attempt.

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-14847 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0040Impact

Related Techniques

T1190Exploit Public-Facing ApplicationT1499Endpoint Denial of ServiceT1005Data from Local System

Same Tactic: Initial Access

Popular Detections