Cyber Resilience

CVE-2025-26701

Critical

Published: 11 March 2025

Published
11 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0017 38.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26701 is a critical-severity Use of Default Password (CWE-1393) vulnerability in Percona PMM Server (inferred from references). Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 38.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-26701 is a critical vulnerability affecting Percona PMM Server (OVA) versions before 3.0.0-1.ova. The issue stems from default service account credentials that enable unauthorized access. Exploitation allows attackers to gain SSH access to the server, escalate privileges using sudo to root level, and expose sensitive data. The vulnerability is associated with CWE-1393 and carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating maximum severity due to its network accessibility, low complexity, lack of prerequisites, and broad impact across confidentiality, integrity, and availability with scope change.

Any remote unauthenticated attacker can exploit this vulnerability over the network without user interaction. Successful exploitation grants full root access to the PMM Server instance via SSH, allowing arbitrary command execution, privilege escalation, and extraction of sensitive monitoring data collected by PMM. The high-impact score reflects the potential for complete system compromise and data exfiltration from monitored environments.

Percona's security advisory details the fix in PMM2 versions 2.42.0-1.ova, 2.43.0-1.ova, 2.43.1-1.ova, 2.43.2-1.ova, and 2.44.0-1.ova, as well as PMM3 3.0.0-1.ova and later. Security practitioners should immediately upgrade affected OVA deployments to patched versions and review default credentials in existing installations. Additional mitigation guidance is available at https://www.percona.com/blog/security-advisory-cve-affecting-percona-monitoring-and-management-pmm/.

EU & UK References

Vulnerability details

An issue was discovered in Percona PMM Server (OVA) before 3.0.0-1.ova. The default service account credentials can lead to SSH access, use of Sudo to root, and sensitive data exposure. This is fixed in PMM2 2.42.0-1.ova, 2.43.0-1.ova, 2.43.1-1.ova, 2.43.2-1.ova, and…

more

2.44.0-1.ova and in PMM3 3.0.0-1.ova and later.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1021.004 SSH Lateral Movement
Adversaries may use [Valid Accounts](https://attack.
T1548.003 Sudo and Sudo Caching Privilege Escalation
Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges.
Why these techniques?

Default credentials directly enable T1078.001 for initial access; SSH access maps to T1021.004; sudo-based privilege escalation to root maps to T1548.003.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22938Shared CWE-1393
CVE-2024-49559Shared CWE-1393
CVE-2026-33784Shared CWE-1393
CVE-2025-2347Shared CWE-1393
CVE-2025-26793Shared CWE-1393
CVE-2026-24429Shared CWE-1393
CVE-2026-2635Shared CWE-1393
CVE-2025-66050Shared CWE-1393
CVE-2025-14917Shared CWE-1393
CVE-2026-4404Shared CWE-1393

Affected Assets

Percona
PMM Server
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Explicitly requires changing default authenticators prior to first use, directly mitigating the exploitable default service account credentials in Percona PMM Server OVA.

prevent

Mandates identification, management, and securing of accounts including service accounts to prevent unauthorized SSH access via defaults.

prevent

Enforces least privilege to restrict service account capabilities, limiting privilege escalation to root via sudo even if initial credentials are guessed.

References