Exposed MongoDB (Port 27017)
detect, harden, and verify closure

Cloud security group rule too broad

An AWS security group, Azure NSG, GCP firewall rule, or DigitalOcean rule opens TCP 27017 to 0.0.0.0/0 during a Terraform run, a migration, a debug session, a vendor handoff, or a recovery exercise. The rule is never narrowed, and a public MongoDB listener persists across image rebuilds, autoscaling events, replica-set promotion, and account migrations.

security.authorization disabled

mongod is started with auth turned off, either by leaving the default configuration that ships with self-built containers and docker run examples, by setting security.authorization to disabled in /etc/mongod.conf for a local debug run that ends up in production, or by running mongod without the --auth flag. The first user connecting becomes a de facto admin.

bindIp set to 0.0.0.0 by default

Older MongoDB defaults bound to 0.0.0.0, and self-hosted deployments still inherit that pattern through legacy configuration files, container images, and Helm charts. Modern builds default to 127.0.0.1, but a single net.bindIp line in /etc/mongod.conf or a single MONGO_INITDB environment variable in a Compose file restores the broad bind quickly.

Outdated MongoDB build

Long-lived virtual machines, frozen container images, vendor-distributed appliances, and home-grown installs run a MongoDB release several years behind the upstream support window. End-of-life branches receive no security backports, and recent CVEs (including the 2024 unauthenticated-DoS class and the 2023 deserialisation and $function and $accumulator hardening) turn aged builds into immediate exposure events.

Default ports left advertised

mongod listens on 27017, mongos on 27017, configsvr on 27019, shardsvr on 27018, and the deprecated mongo-express dashboard often on 8081 or 8082 of the same host. Attacker tooling sweeps the full set; restricting one port without restricting the others leaves a covered side path open.

Weak or default credentials still accepted

security.authorization is on but the deployment still accepts default accounts (admin/admin, root/root, mongo/mongo, dba/dba) from a quickstart, a Helm chart, or a one-off recovery script. SCRAM-SHA-1 remains accepted alongside SCRAM-SHA-256, opening the listener to offline cracking of weak passphrases. x509, LDAP, and Kerberos integration that would constrain the credential surface is not configured.

Automated detection

• SecPortal's external scanner port-scan module probes TCP 27017 across every verified domain and host in scope, identifies the responding service as MongoDB through banner and protocol-handshake detection, and raises a critical-severity finding under the rule that database and cache services should never be directly exposed to the internet.
• Continuous monitoring re-runs the external scan on a schedule, so a security-group edit, a Terraform apply, a replica-set promotion, an autoscale event, or a recovered backup host that re-exposes 27017 reopens the finding rather than leaving the regression invisible until the next audit cycle.
• Bulk import accepts Nessus, Burp, and CSV output from network-tier scanners and from Shodan and Censys exports that already list exposed MongoDB instances, so the catalogue stays centralised even when a third-party tool is the original discovery source.

Manual verification

• Use nmap -p 27017,27018,27019,28017 with service detection (-sV) and the mongodb-info and mongodb-databases scripts against the external range to confirm the listener, the server version, the storage engine, and whether authentication is required.
• Run mongosh against each reachable listener to read the server build info, list databases, and confirm whether security.authorization is enabled. A successful db.adminCommand({ listDatabases: 1 }) without credentials is the definitive proof of an unauthenticated listener.
• Cross-reference the MongoDB build banner against the MongoDB Server release notes, the MongoDB security advisory page, and the CISA Known Exploited Vulnerabilities catalogue to identify whether any unpatched MongoDB CVE is present.
• Check Shodan and Censys for the organisation's netblocks and known hostnames to see whether external observatories already list exposed MongoDB instances and the banners they advertise, then reconcile that list against the verified-domain inventory inside the workspace.

Surface every MongoDB listener on one finding record

External scanning and bulk import land every exposed-MongoDB detection on the findings management record with CVSS, the discovered host, the captured banner, the server version, the scan timestamp, and the named owner so the catalogue is a single source of truth rather than a Shodan tab, a spreadsheet, and a Slack thread.

Inspect configuration drift through authenticated scans

Where the team has authorisation, the authenticated scanning path reads the responding service in more detail and pairs the result with the per-host hardening record. Credentials for authenticated runs live in encrypted credential storage scoped to a verified domain so the same database secret is not copied across spreadsheets, chat threads, and pull-request bodies.

Run remediation as a tracked workflow

Each finding flows through the remediation tracking workflow with severity, target close date, named owner, and the agreed compensating control (for example, an inbound source allowlist while the PrivateLink endpoint is provisioned, or a temporary firewall rule while authentication is stood up). Permanent exceptions enter the eight-field exception register with a named approver, a rationale, an effective period, and a renewal cadence.

Verify the fix with retest

Once the firewall rule, security-group edit, mongod.conf change, host retirement, or migration to Atlas private endpoint completes, the retesting workflow re-runs the external scan, confirms the listener is gone or that the responding service now requires authentication on a private interface, and stamps the closure with timestamped evidence rather than a verbal sign-off in a stand-up.

Catch regressions through continuous monitoring

Scheduled continuous monitoring re-scans of verified domains reopen the finding if MongoDB returns to the public internet, if the banner drops back to an end-of-life build, or if a new cloud account joins the estate with an open 27017. A Terraform apply, a replica-set promotion, an autoscaler refresh, or a recovered backup image does not silently reintroduce the exposure.

Pair with the broader exposure catalogue

Exposed MongoDB rarely shows up alone. The same host frequently exposes SSH misconfiguration, default credentials, cloud bucket misconfiguration, or sensitive data exposure. Treating MongoDB exposure as one finding inside a host-level posture review keeps the queue ordered against real residual risk rather than chasing isolated ports one at a time.

Carry the audit trail through closure

The activity log records who opened, scoped, remediated, and verified each exposed-MongoDB finding, so the next ISO 27001, SOC 2, PCI DSS, HIPAA, or cyber insurance review reads the operating evidence from the record rather than from reconstructed memory, archived ticket exports, or screenshots taken weeks after the fact. Where a breach-notification clock starts, the breach-notification workflow reads from the same record.

Communicate posture in leadership language

When database exposure sits inside a broader programme review, the Claude-drafted AI report composes a leadership-ready narrative from the open and closed findings, the remediation cadence, and the linked compliance evidence. The same record drives security leadership reporting without rebuilding the slide deck by hand each quarter.

Self-hosted MongoDB on cloud VMs

EC2, Compute Engine, Azure VM, and DigitalOcean droplet deployments of community-edition MongoDB make up the bulk of historic exposure events. Replace standing 0.0.0.0/0 security-group rules with private subnets, security-group source restrictions to application tiers, and managed bastion access for human operators. Move long-lived production workloads onto Atlas or another managed service where the network boundary is built in.

MongoDB Atlas with permissive IP allowlist

Atlas inherits the deployment defaults of whoever provisioned it. A 0.0.0.0/0 IP access list, a project-wide read role granted by accident, an unrotated programmatic API key, or a peering route that reaches the wrong VPC creates the same exposure pattern as a self-hosted listener. Bind every cluster to PrivateLink or VPC peering, enforce SCRAM-SHA-256 and x509 or AWS IAM for service callers, rotate programmatic API keys quarterly, and use the Atlas audit log as the source of truth for who connected when.

Containerised MongoDB in dev, test, and CI

Dockerised MongoDB instances inherit the official image defaults, environment-variable initialisation, and quickstart Compose files. A misrouted bridge network, a kubectl port-forward left running, an exposed service of type LoadBalancer, or an ingress-controller rule that catches more traffic than intended reopens 27017 quickly. Bake security.authorization on in the Helm chart, default to net.bindIp 127.0.0.1 in dev compositions, and treat any LoadBalancer service for a database as a finding to triage.

Legacy MongoDB on aged builds

Long-lived virtual machines, vendor-distributed appliances, customer-managed instances at acquired companies, and home-grown installs run a MongoDB release several years behind the upstream support window. End-of-life branches receive no security backports. Track these hosts on the finding record with the build identifier, the maintainer contact, and the upgrade path. Where the host cannot be upgraded immediately, isolate it behind a managed network access boundary and document the residual risk decision in the exception register.