CVE-2025-12893 is a vulnerability classified under CWE-295 (Improper Certificate Validation) affecting MongoDB Server versions 7.0 (before 7.0.26), 8.0 (before 8.0.16), and 8.2 (before 8.2.2). The issue arises from improper validation of the Extended Key Usage (EKU) field in TLS client and server certificates during handshake processes on Windows and Apple platforms. Specifically, MongoDB servers on Windows or Apple may accept client certificates that specify extendedKeyUsage but lack the clientAuth attribute, allowing clients to authenticate improperly. Similarly, on Apple platforms, MongoDB servers may establish outbound TLS connections with servers presenting certificates missing the serverAuth EKU attribute. This behavior deviates from the expected strict validation, which is correctly enforced on Linux systems. The vulnerability could allow an attacker to impersonate a legitimate client or server during TLS handshakes, potentially bypassing authentication controls. However, exploitation requires network access and at least low privileges, with no user interaction needed. The vulnerability does not affect availability but may impact confidentiality and integrity to a limited extent. MongoDB Inc. has addressed this issue in patched versions 7.0.26, 8.0.16, and 8.2.2. No public exploits or active exploitation have been reported to date.

For European organizations, this vulnerability presents a risk primarily to the confidentiality and integrity of data transmitted via TLS connections involving MongoDB servers on Windows and Apple platforms. Attackers could exploit this flaw to impersonate clients or servers, potentially gaining unauthorized access to database services or intercepting sensitive data. This risk is heightened in environments where MongoDB is used for critical applications or stores sensitive personal or business data, such as financial institutions, healthcare providers, and government agencies. The lack of proper EKU validation could undermine trust in TLS authentication, increasing the attack surface for man-in-the-middle or unauthorized access attacks. However, the impact is somewhat limited by the requirement for network access and low privileges, and the absence of user interaction reduces the likelihood of widespread exploitation. Organizations relying on Linux-based MongoDB deployments are not affected. The medium CVSS score reflects these moderate risks. Failure to patch could lead to compliance issues with European data protection regulations like GDPR if unauthorized access or data exposure occurs.

European organizations should promptly upgrade MongoDB Server instances running on Windows and Apple platforms to versions 7.0.26, 8.0.16, or 8.2.2 or later to remediate this vulnerability. Until patches are applied, organizations should consider the following mitigations: restrict network access to MongoDB servers using firewall rules and network segmentation to limit exposure; enforce strict client and server certificate issuance policies ensuring proper EKU attributes; implement additional application-layer authentication and authorization controls to reduce reliance solely on TLS client authentication; monitor TLS handshake logs for anomalous certificate usage or unexpected client/server connections; and conduct regular vulnerability scans and penetration tests focusing on TLS configurations. Additionally, organizations should review and update their incident response plans to address potential misuse of TLS authentication flaws. Coordination with certificate authorities to validate EKU attributes in issued certificates can further reduce risk. Finally, educating system administrators and security teams about this specific vulnerability will help ensure timely detection and response.