It’s been a while! I got busy with a bunch of other work, so I haven’t been posting here lately. Going into the new year I hope to improve that, and try to do some streaming and video content as well. We’ll see how that goes; start the new year with a good cadence and make something happen.
Odds are you’ve seen the discourse around MongoBleed (CVE-2025-14847), a MongoDB memory read vulnerability existing in its z-lib compression implementation. This vulnerability allows an attacker to read any uninitialized memory by setting an arbitrary buffer size via the uncompressedSize field, which then returns any uninitialized memory in that buffer, because writing safe C code is hard if you’re not careful.
Now this is obviously a problem, and MongoDB filed the CVE of their own accord, in parallel with the patch — the problem is, it was published on December 19 when everyone’s on holiday vacation. Then it got worse.
Fanged PoC for Christmas
Compounding the Torment Nexus that was this christmas vulnerability, a security researcher decided to release a fanged PoC on Christmas; the functional equivalent of giving every IT team a lump of coal. Typically a security researcher will try to work with the vendor in order to ensure sufficient time for customers to patch their enviroments before openly handing bad actors a fanged exploit. This takes the difficulty of exploitation from “at least knowing how to write your own exploits, and discovering the specific vulnerability to exploit” to “press button, receive bacon”.
This repository appears to be doing pretty well:
This type of rush for clout causes real and measurable damage to organizations on a good day, let alone over Christmas. For example, it’s known that Ubisoft’s large holiday outage (causing untold damage, in costs of incident response, as well as impact to players) can be attributed to MongoBleed specifically — likely using the PoC given the timing.
As researchers and analysts working in the industry, theoretically because we care about protecting end users, we should strive to be good stewards of cybersecurity and not knowingly and intentionally release exploits for unpatched software. We’re all aware of how trivial it is to fire up shodan and look up servers to go fire off the exploit against.
Deja Vu
This series of events is very similar to another exploit earlier in 2025 that serves as a very similar example of how a good security vendor handles such cases. In March of this year, a vulnerability was discovered in CrushFTP, an enterprise FTP server application.
This vulnerability was discovered by a European cybersecurity vendor, Outpost24, and was raised with the vendor with both parties agreeing on an embargo in order to allow the patch to be delivered. The reason for the embargo was, similar to this Mongo vulnerability, disclosing the details of the vulnerability would allow an exploit to be trivially written — exposing customers to security risk. This was a good way to handle this, so that sufficient lead time could be provided to allow for patching, rather than opening the floodgates.
Following this commendable disclosure process, another security vendor discovered the vulnerability and filed a public CVE, without discussing disclosure with the software developer in question. Please see the full story at: CrushFTP auth bypass vulnerability: Disclosure mess leads to attacks
Nine months later, as a Christmas gift to the industry, we’re re-living a similar series of events, arguably worse this time, since it was a directly and intentionally released PoC by an employee of a major security vendor (Elastic). The act of clout chasing and releasing a PoC for a fresh exploit, especially when it’s obvious that customers will not have sufficient lead time to patch is a reflection of one’s views on what’s important as a security analyst: chasing clout, rather than protecting users.
Conclusion
When performing work in the information security space, we make an unwritten commitment to strive to protect users (and customers) from security threats, wherever they may appear. Whether that is responsibly disclosing a vulnerability and agreeing to a vendor-requested embargo in order to ensure customers have time to patch before the vulnerability is openly discussed — in the case of CrushFTP; or simply not releasing a fanged vulnerability for clout over the Christmas break.
A cybersecurity program, and in turn a cybersecurity vendor is only as good as its people. Arguably, just as actions performed in uniform reflect on the force one is a member of, public actions such as releasing PoCs is a reflection of the organization we perform work for. A team is the culmination of skills, personalities, and actions of its members.
Don’t release a fanged PoC before people have time to patch. On Christmas. C’mon now.
Merry Christmas, Happy New Year. DAK out.