A high-severity vulnerability has been identified in the MongoDB Atlas SQL ODBC driver on Windows systems. This flaw, resulting from incorrect default permissions, allows a local user with low-level privileges to gain elevated administrative rights on the affected machine. Successful exploitation could lead to a complete system compromise, enabling an attacker to access sensitive data, install malicious software, or disrupt operations.

The vulnerability exists due to the installer for the MongoDB Atlas SQL ODBC driver setting overly permissive Access Control Lists (ACLs) on its installation directory and associated files on the Windows operating system. This configuration allows a standard, low-privileged user to modify or replace critical driver files, such as DLLs or configuration files. When a higher-privileged user or system service subsequently utilizes the ODBC driver, it may load the malicious file planted by the attacker, executing arbitrary code with the elevated permissions of that user or service, resulting in a local privilege escalation.

This vulnerability is rated as High severity with a CVSS score of 7.8. Exploitation could lead to significant business disruption and data compromise. An attacker who successfully escalates their privileges can gain complete control over the affected system, bypassing security controls to access, modify, or exfiltrate sensitive data being processed through the database connection. Further risks include the deployment of ransomware, using the compromised system as a pivot point for lateral movement within the corporate network, and causing service outages for applications that rely on the affected driver.

Immediate Action: The primary remediation is to update the MongoDB Atlas SQL ODBC driver to the latest patched version released by the vendor immediately. Following the update, conduct a security audit to review and validate user permissions and access controls on systems where the driver is installed, ensuring the principle of least privilege is enforced.

Proactive Monitoring: Implement file integrity monitoring on the installation directories for the MongoDB Atlas SQL ODBC driver to detect any unauthorized modifications. Monitor Windows Security Event Logs for suspicious process creation or privilege escalation events (e.g., Event ID 4688, 4672). Network monitoring should also be configured to detect unusual outbound traffic from servers hosting the driver, which could indicate a successful compromise.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Use application control solutions (e.g., Windows AppLocker) to prevent the execution of unauthorized files from the driver's installation path.
• Manually correct the file system permissions on the driver's installation directory to restrict write access to only trusted administrative accounts.
• Deploy an Endpoint Detection and Response (EDR) solution capable of detecting and blocking privilege escalation techniques.

Public Exploit Available: false

Given the high CVSS score and the potential for a full system compromise, this vulnerability presents a significant risk to the organization. Although it is not currently listed on the CISA KEV catalog, it should be treated as a critical priority for remediation. We strongly recommend that all Windows systems with the affected MongoDB Atlas SQL ODBC driver are identified and patched immediately. If patching must be delayed, the compensating controls outlined above should be implemented without delay to mitigate the immediate risk of exploitation.