CVE-2025-11575
📋 TL;DR
The MongoDB Atlas SQL ODBC driver on Windows has incorrect default permissions that allow local users to escalate privileges. This affects all Windows systems running MongoDB Atlas SQL ODBC driver versions 1.0.0 through 2.0.0. Attackers could gain elevated system access by exploiting the overly permissive installation.
💻 Affected Systems
- MongoDB Atlas SQL ODBC Driver
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains SYSTEM/Administrator privileges, enabling complete system compromise, data theft, persistence mechanisms, and lateral movement.
Likely Case
Local user or malware with basic user access escalates to administrative privileges to install additional malware, disable security controls, or access sensitive data.
If Mitigated
With proper access controls and least privilege principles, impact limited to isolated systems with no critical data exposure.
🎯 Exploit Status
Exploitation likely involves manipulating installation files or registry entries due to incorrect permissions. Requires local user access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.1 or later
Vendor Advisory: https://www.mongodb.com/docs/atlas/release-notes/sql/
Restart Required: No
Instructions:
1. Download latest MongoDB Atlas SQL ODBC driver from official MongoDB website. 2. Uninstall current vulnerable version. 3. Install updated version 2.0.1 or later. 4. Verify installation and permissions.
🔧 Temporary Workarounds
Manual Permission Hardening
windowsManually adjust file and registry permissions on ODBC driver installation to restrict write access to administrators only.
icacls "C:\Program Files\MongoDB\Atlas SQL ODBC Driver\*" /inheritance:r /grant:r "Administrators:(OI)(CI)F" "SYSTEM:(OI)(CI)F"
icacls "C:\ProgramData\MongoDB\Atlas SQL ODBC Driver\*" /inheritance:r /grant:r "Administrators:(OI)(CI)F" "SYSTEM:(OI)(CI)F"
🧯 If You Can't Patch
- Implement strict least privilege access controls to limit local user access to affected systems.
- Monitor for privilege escalation attempts using Windows security logs and endpoint detection tools.
🔍 How to Verify
Check if Vulnerable:
Check ODBC driver version in Windows Control Panel > ODBC Data Sources (64-bit) > Drivers tab, or check installed programs list for MongoDB Atlas SQL ODBC Driver version.Check Version:
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s /f "MongoDB Atlas SQL ODBC Driver" | findstr "DisplayVersion"Verify Fix Applied:
Verify installed version is 2.0.1 or later, and check that file permissions on installation directory restrict write access to administrators only.📡 Detection & Monitoring
Log Indicators:
- Windows Security Event ID 4688 (process creation) showing unexpected processes running from ODBC driver directory
- Event ID 4663 (file system audit) showing unauthorized access attempts to ODBC driver files
Network Indicators:
- No direct network indicators as this is local privilege escalation
SIEM Query:
source="Windows Security" EventID=4688 OR EventID=4663 | where process_path contains "MongoDB" AND process_path contains "ODBC" | stats count by host, user, process_path