This vulnerability was discovered Dec 15, 2025 - https://www.cve.org/CVERecord?id=CVE-2025-14847
Although client-side communication directly to MongoDB is generally not easily exploitable since Server Certificates are used to access the Database communications between cluster nodes. However, if you want to ensure all compression is disabled, you can follow these steps to disable zlib compression at the MongoDB server level for additional protection.
Note: If using a clustered ProfileUnity, you will need to do this to each node, one at time. If a standalone server, you would just make the changes to the one server.
- Stop all running ProfileUnity Services on the Console node/server:
- Next, stop the MongoDB service:
- Open "C:\Program Files\MongoDB\Mongod.cfg" using Notepad++ or notepad.exe - If using the latter, you may need to copy the file out to a writable location, then modify it, and replace the old one.
-
Add the 2 lines below underneath the line: disabledProtocols: TLS1_0,TLS1_1 (See screenshot)
compression:
compressors: disabledNOTE IT MUST NOT HAVE ANY TAB CHARACTERS, and SHOULD LOOK LIKE THIS
Note the indentation and placement. You can use a text editor like notepad++ to verify no tab characters exist.
- Save and/or copy the file back in/over the old one. (You cannot modify this file when the service is running - changes will be lost).
- Reboot the server, or start the MongoDB Service & then start the ProfileUnity Services you stopped previously. If a cluster, move on to the next node once all services are running and the cluster status is green.
- Note: This change disables MongoDB network compression, which can add 10-40% more network traffic between ProfileUnity console nodes only not the clients, so once a fix is released by Liquidware, these changes should be reverted/removed.
- You can follow this page to get an email when a Hotfix is released - https://support.liquidware.com/hc/en-us/articles/360033876051-ProfileUnity-Hot-Fix-List
Affected Versions: All