CVE-2025-26701
Published: 11 March 2025
Summary
CVE-2025-26701 is a critical-severity Use of Default Password (CWE-1393) vulnerability in Percona PMM Server (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 38.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Explicitly requires changing default authenticators prior to first use, directly mitigating the exploitable default service account credentials in Percona PMM Server OVA.
Mandates identification, management, and securing of accounts including service accounts to prevent unauthorized SSH access via defaults.
Enforces least privilege to restrict service account capabilities, limiting privilege escalation to root via sudo even if initial credentials are guessed.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Default credentials directly enable T1078.001 for initial access; SSH access maps to T1021.004; sudo-based privilege escalation to root maps to T1548.003.
NVD Description
An issue was discovered in Percona PMM Server (OVA) before 3.0.0-1.ova. The default service account credentials can lead to SSH access, use of Sudo to root, and sensitive data exposure. This is fixed in PMM2 2.42.0-1.ova, 2.43.0-1.ova, 2.43.1-1.ova, 2.43.2-1.ova, and…
more
2.44.0-1.ova and in PMM3 3.0.0-1.ova and later.
Deeper analysisAI
CVE-2025-26701 is a critical vulnerability affecting Percona PMM Server (OVA) versions before 3.0.0-1.ova. The issue stems from default service account credentials that enable unauthorized access. Exploitation allows attackers to gain SSH access to the server, escalate privileges using sudo to root level, and expose sensitive data. The vulnerability is associated with CWE-1393 and carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating maximum severity due to its network accessibility, low complexity, lack of prerequisites, and broad impact across confidentiality, integrity, and availability with scope change.
Any remote unauthenticated attacker can exploit this vulnerability over the network without user interaction. Successful exploitation grants full root access to the PMM Server instance via SSH, allowing arbitrary command execution, privilege escalation, and extraction of sensitive monitoring data collected by PMM. The high-impact score reflects the potential for complete system compromise and data exfiltration from monitored environments.
Percona's security advisory details the fix in PMM2 versions 2.42.0-1.ova, 2.43.0-1.ova, 2.43.1-1.ova, 2.43.2-1.ova, and 2.44.0-1.ova, as well as PMM3 3.0.0-1.ova and later. Security practitioners should immediately upgrade affected OVA deployments to patched versions and review default credentials in existing installations. Additional mitigation guidance is available at https://www.percona.com/blog/security-advisory-cve-affecting-percona-monitoring-and-management-pmm/.
Details
- CWE(s)