CVE-2025-10491
📋 TL;DR
This CVE describes a DLL hijacking vulnerability in MongoDB Windows installations where custom installation directories may have improper ACLs, allowing local attackers to inject malicious code into MongoDB processes. It affects MongoDB Server versions 6.0 before 6.0.25, 7.0 before 7.0.21, and 8.0 before 8.0.5. Attackers need local access to the Windows system where MongoDB is installed.
💻 Affected Systems
- MongoDB Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation leading to complete system compromise, data theft, or ransomware deployment via malicious DLL execution with MongoDB process privileges.
Likely Case
Local attacker gains code execution within MongoDB context, potentially accessing database contents, modifying data, or establishing persistence.
If Mitigated
Limited impact with proper access controls, monitoring, and defense-in-depth measures preventing successful exploitation.
🎯 Exploit Status
Requires local access to place malicious DLL in custom installation directory path. DLL hijacking is a well-known technique with available tooling.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v6.0.25, v7.0.21, v8.0.5
Vendor Advisory: https://jira.mongodb.org/browse/SERVER-51366
Restart Required: Yes
Instructions:
1. Download patched version from MongoDB website. 2. Stop MongoDB service. 3. Install updated version. 4. Restart MongoDB service. 5. Verify version with mongod --version.
🔧 Temporary Workarounds
Set proper ACLs on custom directories
windowsManually configure proper access control lists on custom MongoDB installation directories to prevent unauthorized write access.
icacls "C:\CustomMongoDBPath" /inheritance:r /grant:r "Administrators:(OI)(CI)F" "SYSTEM:(OI)(CI)F" "MongoDBServiceAccount:(OI)(CI)RX"
Use default installation path
windowsReinstall MongoDB using default installation directory which has proper ACLs configured.
🧯 If You Can't Patch
- Restrict local access to MongoDB servers to trusted administrators only
- Implement application allowlisting to prevent unauthorized DLL execution
🔍 How to Verify
Check if Vulnerable:
Check MongoDB version and installation path. If version is affected (6.0 < 6.0.25, 7.0 < 7.0.21, 8.0 < 8.0.5) AND installed in custom directory on Windows, system is vulnerable.Check Version:
mongod --versionVerify Fix Applied:
Verify MongoDB version is 6.0.25+, 7.0.21+, or 8.0.5+ using mongod --version command.📡 Detection & Monitoring
Log Indicators:
- Unexpected DLL loads in MongoDB process
- File creation/modification in MongoDB installation directory
- Process execution anomalies
Network Indicators:
- Unusual outbound connections from MongoDB process
- Data exfiltration patterns
SIEM Query:
ProcessCreation WHERE ParentProcessName CONTAINS 'mongod' AND CommandLine CONTAINS '.dll' NOT IN (expected_dll_list)