CVE-2025-10491Improper Access Control in INC Mongodb Server

CWE-284Improper Access Control3 documents3 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 95.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mongodb INC Mongodb Server
Timeline
PublishedSep 15

Description

The MongoDB Windows installation MSI may leave ACLs unset on custom installation directories allowing a local attacker to introduce executable code to MongoDB's process via DLL hijacking. This issue affects MongoDB Server v6.0 version prior to 6.0.25, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages1 packages

CVEListV5mongodb_inc/mongodb_server6.06.0.25+2

🔴Vulnerability Details

2
CVEList
MongoDB Windows installation MSI may leave ACLs unset on custom installation directories2025-09-15
GHSA
GHSA-2mmf-p5r8-wc5g: The MongoDB Windows installation MSI may leave ACLs unset on custom installation directories allowing a local attacker to introduce executable code to2025-09-15
CVE-2025-10491 — Improper Access Control | cvebase