CVE-2025-14847, also known as MongoBleed, is a serious memory disclosure vulnerability affecting several versions of MongoDB. It allows attackers to extract sensitive data from server memory without authentication, making it a significant risk for production environments. The exploit takes advantage of how MongoDB handles zlib-compressed network messages, leaking memory chunks when compression is enabled. Affected versions include various releases across major MongoDB branches, with patches available for some but not all. Detecting exploitation is challenging because the only traces left in logs are connection events without the typical client metadata. Legitimate MongoDB drivers always send this metadata, so connections lacking it can signal foul play. The author created a Velociraptor artifact to detect these patterns, focusing on connection velocity and metadata rates. For example, a source IP making 100,000 connections per minute with no metadata would be flagged as high risk. Testing confirmed the effectiveness of the detection mechanism against real attack traffic, achieving a high confidence level in identifying exploitation. The artifact analyzes MongoDB logs, including those from Docker containers, to identify suspicious connection patterns. It calculates metrics such as connection velocity and metadata rates, providing thresholds for risk assessment. The author validated the detection thresholds against legitimate traffic, showing a stark contrast between normal and attack patterns. However, the effectiveness of the artifact depends on proper logging setups and may require adjustments based on specific environments.