DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Mongobleed: 87,000 MongoDB Instances Are Leaking Your Secrets

Patrick Duggan
Jan 12
2 min read

The Vulnerability

CVE-2025-14847 - "Mongobleed"

When MongoDB processes malformed compressed messages, it returns uninitialized heap memory to remote clients.

No authentication required. No credentials needed. Just send a packet, receive secrets.

CISA Deadline: January 19, 2026 (7 days from now)

What's Leaking

The heap contains whatever MongoDB was recently doing:

Database credentials
API keys
Authentication tokens
Session data
User PII
Query results
Connection strings

This isn't theoretical. Researchers are actively demonstrating data exfiltration from vulnerable instances.

The Scale

87,000+ potentially vulnerable instances identified via internet scanning.

Region	Exposed Instances
United States	~28,000
China	~15,000
Germany	~8,000
India	~6,000
France	~5,000

That's 87,000 databases bleeding secrets to anyone who asks.

The Attack

1. Attacker crafts malformed compressed message
2. Sends to MongoDB port (default: 27017)
3. MongoDB processes message incorrectly
4. Uninitialized heap memory returned in response
5. Attacker receives fragments of server memory
6. Repeat until credentials/keys are captured

No brute force. No exploitation complexity. Just ask and receive.

Who's Vulnerable

MongoDB versions before 8.0.4, 7.0.16, and 6.0.20

MongoDB 8.0.0 - 8.0.3
MongoDB 7.0.0 - 7.0.15
MongoDB 6.0.0 - 6.0.19

You are vulnerable. Patch now.

Why This Is Different

Authentication
Specific application states
Complex exploitation chains

Mongobleed requires nothing. Internet exposure + vulnerable version = data leak.

This is the MongoDB equivalent of Heartbleed. Hence the name.

The Detection Problem

How do you know if you've been exploited?

You probably don't.

Looks like normal MongoDB traffic
Doesn't trigger authentication failures
Doesn't crash the server
Doesn't leave obvious forensic artifacts

If your MongoDB was internet-exposed and unpatched, assume your credentials are compromised.

What To Do

Immediate (Today)

Patch MongoDB to 8.0.4+, 7.0.16+, or 6.0.20+
Rotate all credentials stored in or accessible via MongoDB
Rotate API keys that MongoDB connections used
Invalidate sessions for all users

If You Can't Patch

Block port 27017 at the firewall (and any custom ports)
Require authentication for all connections
Enable TLS with certificate validation
Whitelist allowed client IPs

Forensics

Check for unusual network patterns on MongoDB ports
Review connection logs for unknown sources
Audit credential usage for anomalies
Assume breach, investigate accordingly

The Broader Pattern

Mongobleed joins a growing list of "it was exposed the whole time" vulnerabilities:

Vuln	Year	Impact
Heartbleed (OpenSSL)	2014	Memory disclosure
EternalBlue (SMB)	2017	Remote code execution
Log4Shell	2021	Remote code execution
Mongobleed	2025	Memory disclosure

The pattern: Core infrastructure component + default configs + internet exposure = mass compromise.

Our Response

We're adding Mongobleed-related IOCs to our tracking:

IPs scanning for MongoDB ports
Known exploitation attempts
Malicious infrastructure targeting databases

Check our STIX feed for updates: https://analytics.dugganusa.com/api/v1/stix-feed

The Deadline

January 19, 2026.

That's 7 days for federal agencies. That's 7 days for you too.

Every day you wait is a day your secrets are bleeding.

Patch your Mongo.

Her name is Renee Nicole Good.

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]