CVE-2025-10491 is a high-severity vulnerability affecting MongoDB Server versions 6.0 (prior to 6.0.25), 7.0 (prior to 7.0.21), and 8.0 (prior to 8.0.5) on Windows platforms. The vulnerability arises from improper access control (CWE-284) related to the Windows installation MSI for MongoDB. Specifically, when MongoDB is installed with custom directories, the Access Control Lists (ACLs) on these directories may not be properly set. This misconfiguration allows a local attacker with limited privileges to place malicious executable code, such as a crafted DLL, into these directories. Due to DLL hijacking, the MongoDB server process may load this malicious DLL during its operation, leading to arbitrary code execution within the context of the MongoDB process. The vulnerability requires local access with low privileges (AV:L, PR:L) but does not require user interaction (UI:N). The impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H), as an attacker could execute code to compromise the database server, potentially leading to data theft, data manipulation, or denial of service. The vulnerability does not appear to have known exploits in the wild yet, but given the critical nature of MongoDB in many enterprise environments, the risk is significant. The root cause is the failure to enforce strict ACLs on custom installation directories, which is a common security best practice to prevent unauthorized code injection. This issue affects Windows installations only, as it relates to MSI installer behavior and Windows ACLs. The vulnerability is tracked under CWE-284 (Improper Access Control) and has a CVSS v3.1 score of 7.8, indicating a high severity level.

For European organizations, this vulnerability poses a substantial risk, especially for those relying on MongoDB Server deployments on Windows environments. MongoDB is widely used across various sectors including finance, healthcare, government, and technology. Exploitation could lead to unauthorized code execution on critical database servers, resulting in data breaches, data integrity violations, and service disruptions. Given the high confidentiality and integrity impact, sensitive personal data protected under GDPR could be exposed or altered, leading to regulatory penalties and reputational damage. The requirement for local access limits remote exploitation but insider threats or attackers who have gained initial footholds via other means could leverage this vulnerability to escalate privileges and compromise database servers. The absence of known exploits in the wild currently reduces immediate risk but organizations should act promptly to patch and audit their installations to prevent future exploitation. The impact is amplified in environments where MongoDB servers are part of critical infrastructure or handle sensitive data, common in European financial institutions and public sector entities.

1. Immediate application of patches: Upgrade MongoDB Server to versions 6.0.25, 7.0.21, or 8.0.5 or later, where this vulnerability is fixed. 2. Audit and enforce ACLs: Review and correct ACL settings on all MongoDB installation directories, especially custom ones, to ensure only authorized users have write and execute permissions. 3. Restrict local access: Limit local user accounts that can access MongoDB server directories to trusted administrators only. 4. Monitor for suspicious DLL loading: Implement monitoring to detect unusual DLL loads or changes in MongoDB process behavior. 5. Harden Windows hosts: Apply Windows security best practices including enabling Windows Defender Application Control or similar whitelisting technologies to prevent unauthorized DLL execution. 6. Use application whitelisting and endpoint detection and response (EDR) tools to detect and block attempts to place or execute unauthorized code. 7. Conduct regular security audits and penetration testing focusing on local privilege escalation paths. 8. Educate system administrators about risks of improper ACL configurations and the importance of secure installation practices.