CVE-2025-26701

CVE-2025-26701 is a critical vulnerability affecting Percona PMM Server (OVA) versions before 3.0.0-1.ova. The issue stems from default service account credentials that enable unauthorized access. Exploitation allows attackers to gain SSH access to the server, escalate privileges using sudo to root level, and expose sensitive data. The vulnerability is associated with CWE-1393 and carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating maximum severity due to its network accessibility, low complexity, lack of prerequisites, and broad impact across confidentiality, integrity, and availability with scope change.

Any remote unauthenticated attacker can exploit this vulnerability over the network without user interaction. Successful exploitation grants full root access to the PMM Server instance via SSH, allowing arbitrary command execution, privilege escalation, and extraction of sensitive monitoring data collected by PMM. The high-impact score reflects the potential for complete system compromise and data exfiltration from monitored environments.

Percona's security advisory details the fix in PMM2 versions 2.42.0-1.ova, 2.43.0-1.ova, 2.43.1-1.ova, 2.43.2-1.ova, and 2.44.0-1.ova, as well as PMM3 3.0.0-1.ova and later. Security practitioners should immediately upgrade affected OVA deployments to patched versions and review default credentials in existing installations. Additional mitigation guidance is available at https://www.percona.com/blog/security-advisory-cve-affecting-percona-monitoring-and-management-pmm/.