The security issue had been brought to light over three years ago as a critical vulnerability, however it was only patched around 2 years ago according to Matherly. Affected older versions of MongoDB lack a ‘bind_ip 127.0.0.1’ option set in the mongodb.conf, leaving their server vulnerable if the user is unaware of the setting, the 2012 security advisory stated. Matherly said it appeared only older versions than 2.6 were affected – a significant problem given most users are on version 2.4.9 and 2.4.10, followed by 2.6.7, he wrote. https://www.mongodb.com/blog/post/july-mongodb-security-best-practices