LevelBlue SpiderLabs warns of active exploitation of critical flaws in widely used software—MongoBleed (CVE-2025-14847) in MongoDB and React2Shell (CVE-2025-55182) in React Server Components—urging immediate patching, network segmentation, and forensic monitoring. The update also details active malware campaigns (MINOCAT, SNOWLIGHT, HISONIC, COMPOOD, XMRIG), new IOCs and trackers, USM Anywhere detection improvements, and numerous OTX pulses shared with the community. #MongoBleed #React2Shell
Keypoints
- MongoBleed (CVE-2025-14847) is a high-severity MongoDB vulnerability allowing unauthenticated leakage of uninitialized heap memory; public exploits and widespread exploitation were observed within days, and ~70% of internet-facing instances remained vulnerable in scans.
- React2Shell (CVE-2025-55182) is a critical unauthenticated RCE in React Server Components impacting popular frameworks (e.g., Next.js); rapid weaponization led to deployments of malware and in-memory web shells.
- Observed post-exploit activity includes deployment of malware families and miners such as MINOCAT, SNOWLIGHT, HISONIC, COMPOOD, and XMRIG, plus Unicode-obfuscated payloads and unauthorized persistence.
- LevelBlue created automated Adversary Trackers for families including VenomRat, NanoCore, Amadey, and Vidar and identified over 16,353 new IOCs during December.
- USM Anywhere received 15 detection updates in December, including rules to detect procdump misuse in Office tools, abuse of Azure AzCopy for exfiltration, and improved O365 rules for suspicious inbox rules and user agents.
- LevelBlue SpiderLabs published 90 new OTX pulses in December and continues to validate, enrich, and share threat intelligence across its 330,000-member community.
MITRE Techniques
- [T1190 ] Exploit Public-Facing Application – Used to exploit vulnerabilities in internet-accessible software (MongoBleed and React2Shell). (‘a severe vulnerability in MongoDB known as MongoBleed…allows unauthenticated attackers’ / ‘allows attackers to execute arbitrary code via a single HTTP request’)
- [T1505.003 ] Web Shell – In-memory Next.js web shells were observed as post-exploitation access and command execution vectors. (‘in-memory Next.js web shells’)
- [T1059 ] Command and Scripting Interpreter – Attackers used shell injections and scripting to execute payloads and maintain control. (‘malicious shell injections’)
- [T1537 ] Transfer Data to Cloud Account – Adversaries abused cloud transfer tools to exfiltrate data (Azure AzCopy usage cited). (‘abuse of Azure Azcopy to exfiltrate data’)
- [T1003 ] OS Credential Dumping – Use of procdump and similar tools to capture credentials or process memory was observed or detected. (‘detecting the use of procdump in Office tools’)
- [T1595 ] Active Scanning – Rapid scanning and public proof-of-concept tools were used to find and weaponize vulnerable instances. (‘Public exploits appeared’ / ‘scanning tools’)
- [T1496 ] Resource Hijacking – Cryptocurrency mining (XMRIG) was deployed to hijack compute resources. (‘XMRIG cryptocurrency miners’)
- [T1543 ] Create or Modify System Process – Attackers established persistence via unauthorized mechanisms and hidden directories such as user-level systemd utilities. (‘hidden directories ($HOME/.systemd-utils)’, ‘unauthorized persistence mechanisms’)
Indicators of Compromise
- [CVE ] vulnerability identifiers – CVE-2025-14847 (MongoBleed), CVE-2025-55182 (React2Shell) and related CVEs (CVE-2025-55183, CVE-2025-55184, CVE-2025-67779)
- [Malware Families ] names observed in campaigns – MINOCAT, SNOWLIGHT, HISONIC, COMPOOD, XMRIG (and other families identified by trackers)
- [Trackers / Families ] monitored infrastructure – VenomRat, NanoCore, Amadey, Vidar (LevelBlue trackers reported 16,353+ new IOCs across tracked families)
- [File / Directory Names & Tools ] artifacts and abused utilities – $HOME/.systemd-utils, procdump, Azure AzCopy
- [Packages / Components ] vulnerable software components – react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (affected versions listed in advisory)
- [Forensic / Telemetry Indicators ] diagnostic signs to detect exploitation – spikes in db.serverStatus().asserts, FTDC telemetry anomalies