CVE-2025-11535 is a vulnerability classified under CWE-276 (Incorrect Default Permissions) affecting MongoDB Connector for BI versions 2.0.0 through 2.14.24 installed on Windows systems via MSI installers. The issue arises because the MSI installation process does not set Access Control Lists (ACLs) on custom installation directories, leaving them with insecure default permissions. This misconfiguration enables users with low-level privileges on the system to escalate their privileges by modifying files or configurations within these directories, potentially gaining higher system rights. The vulnerability requires local access with low privileges but does not require user interaction, making it a straightforward privilege escalation vector once an attacker has foothold. The CVSS 4.0 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, as an attacker could manipulate the BI connector’s files or configurations to execute arbitrary code or disrupt services. No public exploits are known yet, but the vulnerability’s nature and ease of exploitation make it a significant risk. MongoDB Connector for BI is widely used in data analytics environments to bridge MongoDB databases with BI tools, making this vulnerability particularly concerning for organizations relying on Windows-based BI infrastructure. The lack of patches at the time of publication necessitates immediate attention to permissions and installation practices.

For European organizations, this vulnerability poses a significant risk especially in sectors relying heavily on data analytics and business intelligence, such as finance, manufacturing, and telecommunications. Exploitation could allow attackers to escalate privileges on Windows servers hosting MongoDB Connector for BI, potentially leading to unauthorized data access, manipulation, or service disruption. This could compromise sensitive business intelligence data, affect decision-making processes, and lead to regulatory non-compliance under GDPR due to unauthorized data exposure. The impact extends to operational continuity if attackers leverage escalated privileges to disrupt services or deploy ransomware. Organizations with custom installation directories are particularly vulnerable, as default ACLs are not set properly, increasing the attack surface. The vulnerability also raises concerns for managed service providers and cloud environments in Europe that deploy MongoDB BI connectors on Windows platforms. Given the high CVSS score and the critical role of BI connectors in data workflows, the potential damage is substantial.

1. Immediately audit all MongoDB Connector for BI installations on Windows to identify custom installation directories and verify their ACL settings. 2. Manually set restrictive ACLs on these directories to ensure only authorized users and service accounts have access, preventing unauthorized modifications. 3. Limit local user privileges on Windows systems hosting the connector to the minimum necessary, reducing the risk of privilege escalation. 4. Monitor file system changes and access logs for suspicious activity related to the BI connector directories. 5. Implement application whitelisting and endpoint detection to detect and block unauthorized code execution attempts. 6. Stay alert for official patches or updates from MongoDB Inc and apply them promptly once released. 7. Consider deploying the connector in isolated environments or containers with strict access controls to limit the blast radius. 8. Educate system administrators on secure installation practices, avoiding custom directories unless necessary and ensuring proper permission configurations. 9. Incorporate this vulnerability into incident response plans to quickly address any exploitation attempts. 10. Use vulnerability management tools to track affected versions and ensure timely remediation.