CVE-2025-12893 is a vulnerability classified under CWE-295 (Improper Certificate Validation) affecting MongoDB Server versions 7.0 (before 7.0.26), 8.0 (before 8.0.16), and 8.2 (before 8.2.2). The issue arises from the server's TLS handshake implementation on Windows and Apple platforms, where the validation of client and server certificates does not properly enforce Extended Key Usage (EKU) constraints. Specifically, a client certificate that specifies extendedKeyUsage but lacks the clientAuth EKU can still be accepted by the MongoDB server during TLS client authentication on Windows and Apple. Similarly, on Apple systems, MongoDB servers may accept server certificates missing the serverAuth EKU during outbound TLS connections. This improper validation undermines the trust model of TLS, potentially allowing unauthorized clients to authenticate or enabling man-in-the-middle attacks by accepting improperly validated server certificates. The vulnerability does not affect Linux MongoDB servers, which correctly enforce EKU requirements. The CVSS v3.1 base score is 4.2 (medium), reflecting network attack vector, high attack complexity, low privileges required, no user interaction, and limited confidentiality and integrity impact without availability impact. No known exploits have been reported to date. The vulnerability is particularly relevant for environments where MongoDB servers run on Windows or Apple platforms and rely on strict TLS client and server certificate validation for security.

For European organizations, this vulnerability could lead to unauthorized access to MongoDB servers or interception of TLS connections if attackers exploit the improper certificate validation. Confidentiality and integrity of data transmitted over TLS may be compromised, especially in environments using client certificate authentication or mutual TLS. Organizations using MongoDB on Windows or Apple platforms are at risk, particularly those in regulated sectors such as finance, healthcare, and government where data protection is critical. Attackers with network access and low privileges could bypass certificate restrictions, potentially gaining unauthorized database access or intercepting sensitive data. Although no availability impact is expected, the breach of confidentiality and integrity could lead to data leaks, compliance violations (e.g., GDPR), and reputational damage. The risk is lower for Linux-based MongoDB deployments, which are not affected. Given the medium severity and absence of known exploits, the immediate risk is moderate but warrants timely remediation to prevent future exploitation.

European organizations should promptly upgrade MongoDB Server to versions 7.0.26, 8.0.16, 8.2.2 or later to remediate this vulnerability. Until patches are applied, organizations should enforce strict network segmentation and firewall rules to restrict access to MongoDB servers, limiting exposure to trusted clients and internal networks only. Implement monitoring and alerting for unusual TLS handshake failures or unexpected client certificate usage. Review and tighten TLS configuration policies, ensuring only certificates with proper EKU extensions are issued and trusted within the organization. Consider deploying additional network-level TLS inspection or mutual TLS enforcement mechanisms external to MongoDB to compensate for the validation gap. Conduct audits of existing client and server certificates to verify compliance with EKU requirements. For Apple platform deployments, extra caution is advised due to the broader scope of the issue affecting both client and server certificate validation. Finally, maintain up-to-date asset inventories to identify all MongoDB instances running on affected platforms for prioritized patching.