Detect MongoDB Improper Handling of Length Parameter Inconsistency (CVE-2025-14847) in Microsoft Sentinel
Detects exploitation attempts targeting CVE-2025-14847, an improper handling of length parameter inconsistency vulnerability (CWE-130) in MongoDB and MongoDB Server. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Attackers may craft malformed requests with inconsistent length parameters to cause unexpected server behavior, potentially leading to denial of service, data corruption, or unauthorized access.
MITRE ATT&CK
- Tactic
- Initial Access Impact
KQL Detection Query
union isfuzzy=true
(
MongoDBDiagnosticLogs
| where TimeGenerated >= ago(24h)
| where Message has_any ("length", "BSONObj", "invalid", "assertion", "exception", "malformed")
| where Message matches regex @"(?i)(length.*inconsisten|param.*mismatch|bson.*invalid|buffer.*overflow|assertion.*failed)"
| project TimeGenerated, Computer, Message, Severity
),
(
Syslog
| where TimeGenerated >= ago(24h)
| where ProcessName has_any ("mongod", "mongos")
| where SyslogMessage has_any ("length", "assertion", "exception", "invalid", "malformed")
| where SyslogMessage matches regex @"(?i)(length.*inconsisten|param.*mismatch|bson.*invalid|assertion.*failed)"
| project TimeGenerated, Computer, ProcessName, SyslogMessage
),
(
CommonSecurityLog
| where TimeGenerated >= ago(24h)
| where DestinationPort in (27017, 27018, 27019)
| where Message has_any ("length", "malformed", "invalid", "error")
| project TimeGenerated, DeviceVendor, SourceIP, DestinationIP, DestinationPort, Message
)
| sort by TimeGenerated descDetects MongoDB log entries and network traffic indicative of CVE-2025-14847 exploitation via length parameter inconsistency. Targets MongoDB diagnostic logs, syslog from mongod/mongos processes, and network flows to MongoDB ports.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate MongoDB administrative operations that trigger assertion messages during maintenance windows
- Automated backup or migration tools that interact with MongoDB on standard ports and produce verbose logging
- MongoDB version upgrades or configuration changes that temporarily generate error messages resembling exploitation patterns
- Load testing or performance benchmarking tools sending high volumes of requests to MongoDB ports
Other platforms for CVE-2025-14847
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Send Malformed BSON Message with Inconsistent Length to MongoDB
Expected signal: MongoDB diagnostic log should record a parse error, assertion failure, or connection reset. Network capture should show malformed wire protocol frame followed by TCP RST or server-side close.
- Test 2Fuzzing MongoDB Port with Length Boundary Payloads
Expected signal: Multiple connection events on port 27017 in rapid succession, followed by MongoDB log entries for parser errors or assertion failures for each boundary value tested.
- Test 3Verify MongoDB Version and Patch Status
Expected signal: MongoDB audit log (if enabled) records a connection and command execution from localhost. Authentication log shows anonymous or credential-less connection attempt.
Unlock Pro Content
Get the full detection package for CVE-2025-14847 including response playbook, investigation guide, and atomic red team tests.