CVE-2025-10491 is a high-severity vulnerability affecting MongoDB Server versions 6.0 prior to 6.0.25, 7.0 prior to 7.0.21, and 8.0 prior to 8.0.5 on Windows platforms. The vulnerability arises from improper access control (CWE-284) related to the Windows installation MSI for MongoDB. Specifically, when administrators perform custom installations of MongoDB Server on Windows, the Access Control Lists (ACLs) on the custom installation directories may not be properly set. This misconfiguration allows a local attacker with limited privileges to place malicious executable code, such as a crafted DLL, into these directories. Due to DLL hijacking, the malicious DLL can be loaded by the MongoDB process, enabling the attacker to execute arbitrary code with the privileges of the MongoDB service. The vulnerability requires local access with low privileges but does not require user interaction. The CVSS v3.1 base score is 7.8, reflecting high impact on confidentiality, integrity, and availability, as exploitation can lead to full compromise of the MongoDB server process. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and patched in the specified versions. This issue highlights the importance of secure installation practices and proper ACL configuration on Windows systems hosting critical database services like MongoDB.

For European organizations, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of data managed by MongoDB Server on Windows. MongoDB is widely used across industries including finance, healthcare, telecommunications, and government sectors in Europe. Exploitation could allow an attacker to execute arbitrary code on database servers, potentially leading to data breaches, unauthorized data manipulation, or service disruption. Given the local access requirement, the threat is particularly relevant in environments where multiple users have access to the server or where attackers can gain foothold through other means (e.g., phishing, compromised credentials). The impact is amplified in regulated sectors subject to GDPR and other data protection laws, where data breaches can result in severe legal and financial penalties. Additionally, disruption of database services can affect business continuity and critical operations. The lack of known exploits currently provides a window for organizations to patch and mitigate before active exploitation occurs.

1. Immediately upgrade MongoDB Server on Windows to the patched versions: 6.0.25 or later, 7.0.21 or later, and 8.0.5 or later. 2. Review and enforce strict ACLs on all MongoDB installation directories, especially custom installation paths, ensuring only authorized service accounts and administrators have write and execute permissions. 3. Limit local user access to MongoDB server hosts, applying the principle of least privilege to reduce the risk of local exploitation. 4. Implement application whitelisting and endpoint protection solutions to detect and block unauthorized DLL loading or code execution. 5. Monitor file system changes in MongoDB directories for suspicious activity indicative of DLL hijacking attempts. 6. Conduct regular security audits and penetration testing focusing on Windows ACL configurations and privilege escalation vectors. 7. Educate system administrators on secure installation procedures and the risks of improper ACL settings during custom installations. 8. Consider isolating MongoDB servers in hardened environments with restricted local access and network segmentation to contain potential compromises.