A high-severity vulnerability exists in the MongoDB installer for Windows systems. This flaw fails to properly secure custom installation folders, allowing a local attacker with standard user access to place malicious code that will be executed by MongoDB, leading to elevated privileges and potential system compromise.

The MongoDB Windows installation package (MSI) does not correctly apply Access Control Lists (ACLs) when a user chooses a custom installation directory instead of the default location. This misconfiguration results in overly permissive folder permissions, allowing low-privileged local users to write files into the MongoDB installation path. An attacker can exploit this by placing a specially crafted DLL file in this directory, naming it after a legitimate DLL that the MongoDB application loads. When the MongoDB service is started or restarted, it will load the attacker's malicious DLL instead of the intended one, resulting in arbitrary code execution with the privileges of the MongoDB service account.

This vulnerability is rated as High severity with a CVSS score of 7.8. Successful exploitation could lead to a complete compromise of the database server. An attacker could leverage this privilege escalation to steal sensitive data, modify or delete database records, disrupt service availability, or use the compromised server as a pivot point to move laterally within the corporate network. The direct risks include loss of data confidentiality and integrity, service disruption, and the potential for follow-on attacks such as ransomware deployment.

Immediate Action: Apply the security updates released by MongoDB immediately. These patches will correct the installer's behavior and ensure proper ACLs are set on all installation directories. In parallel, security teams should actively monitor for any signs of exploitation attempts and conduct a thorough review of system access logs and security events for any anomalous activity related to MongoDB processes.

Proactive Monitoring: Implement monitoring to detect potential exploitation. This includes watching for file creation events, specifically for new DLL files, within MongoDB's binary directories. Utilize an Endpoint Detection and Response (EDR) solution to monitor for suspicious module loads by the mongod.exe process or other MongoDB services. Review Windows Security Event Logs for unusual process creation originating from the MongoDB service account.

Compensating Controls: If patching cannot be performed immediately, implement the following controls to mitigate risk:

• Manually inspect and correct the permissions on the MongoDB installation directory and its subdirectories. Restrict write access to only trusted administrative accounts.
• Implement application control or whitelisting solutions to prevent unauthorized DLLs from being loaded by MongoDB processes.
• Ensure the MongoDB service account is configured with the principle of least privilege and does not have excessive permissions on the operating system.

Public Exploit Available: false

Given the high CVSS score and the potential for local privilege escalation, this vulnerability poses a significant risk to Windows environments running affected MongoDB products. We strongly recommend that organizations prioritize the deployment of the vendor-supplied patches to all affected systems immediately. Although this vulnerability is not currently listed on the CISA KEV list, its impact warrants urgent attention. If patching is delayed, the compensating controls listed above should be implemented as an interim measure to reduce the attack surface.