CVE-2025-10491 is an improper access control vulnerability (CWE-284) affecting MongoDB Server on Windows platforms. The root cause is that the MongoDB Windows MSI installer does not set Access Control Lists (ACLs) properly on custom installation directories. This oversight allows local attackers with limited privileges to place malicious DLLs or executables in these directories. When MongoDB loads these DLLs during its process execution, the attacker’s code executes with MongoDB’s privileges. This DLL hijacking attack vector can lead to complete compromise of the MongoDB server, impacting confidentiality, integrity, and availability. The vulnerability affects MongoDB Server versions 6.0 prior to 6.0.25, 7.0 prior to 7.0.21, and 8.0 prior to 8.0.5. The CVSS v3.1 base score is 7.8, reflecting high severity due to local attack vector, low attack complexity, low privileges required, no user interaction, and high impact on all security properties. Although no exploits are currently known in the wild, the vulnerability presents a significant risk in environments where attackers can gain local access. The issue is specific to Windows installations and custom directory setups, emphasizing the importance of secure installation practices and permission management.

The vulnerability allows a local attacker with limited privileges to escalate their control by injecting malicious code into the MongoDB server process via DLL hijacking. This can lead to full compromise of the database server, including unauthorized data disclosure, data manipulation, and denial of service. Organizations relying on MongoDB for critical data storage and processing could face severe operational disruptions, data breaches, and potential regulatory penalties. Since MongoDB is widely used in enterprise and cloud environments, the impact can be substantial if attackers gain local access, especially in multi-tenant or shared hosting scenarios. The attack does not require user interaction, increasing the risk of automated or stealthy exploitation once local access is obtained. The vulnerability also undermines trust in the integrity and availability of MongoDB services, potentially affecting business continuity and customer confidence.

Organizations should immediately upgrade affected MongoDB Server versions to 6.0.25, 7.0.21, or 8.0.5 or later, where the issue is fixed. Until patching is possible, administrators must verify and enforce strict ACLs on all MongoDB installation directories, especially custom paths, to prevent unauthorized write access. Use Windows security tools to audit directory permissions and remove write privileges from non-administrative users. Additionally, restrict local access to MongoDB servers to trusted personnel only, minimizing the risk of local attacker presence. Employ application whitelisting and endpoint protection solutions to detect and block unauthorized DLL loading. Regularly monitor MongoDB logs and system event logs for suspicious activity indicative of DLL hijacking attempts. Finally, review and harden overall Windows host security posture to reduce the likelihood of local privilege escalation and lateral movement.