Cyber Resilience

CVE-2026-25212

Critical

Published: 02 April 2026

Published
02 April 2026
Modified
21 April 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0029 20.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25212 is a critical-severity Execution with Unnecessary Privileges (CWE-250) vulnerability in Percona Monitoring And Management. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-25212 is a critical vulnerability affecting Percona Monitoring and Management (PMM) versions prior to 3.7. The flaw stems from an internal database user retaining specific superuser privileges, which enables an attacker with pmm-admin rights to exploit the "Add data source" feature. This allows breakout from the database context to execute arbitrary shell commands on the underlying operating system. The issue is classified under CWE-250 (Execution with Unnecessary Privileges) and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

An attacker requires only low-privilege pmm-admin access to exploit this vulnerability remotely over the network with no user interaction needed. Successful exploitation grants full remote code execution on the host OS, providing complete confidentiality, integrity, and availability impact due to the scope change from changed components.

Percona addressed this vulnerability in PMM 3.7.0, as detailed in the official release notes, which describe it as an authenticated remote code execution issue via internal data source. Security practitioners should upgrade to PMM 3.7.0 or later to mitigate the risk, per the advisory at https://docs.percona.com/percona-monitoring-and-management/3/release-notes/3.7.0.html#authenticated-remote-code-execution-via-internal-data-source-cve-2026-25212. Additional information is available on Percona's site at https://percona.com.

EU & UK References

Vulnerability details

An issue was discovered in Percona PMM before 3.7. Because an internal database user retains specific superuser privileges, an attacker with pmm-admin rights can abuse the "Add data source" feature to break out of the database context and execute shell…

more

commands on the underlying operating system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The authenticated RCE arises from exploiting the Add data source feature in the network-accessible PMM application (T1190), directly resulting in arbitrary Unix shell command execution on the host (T1059.004) and privilege escalation from pmm-admin to full OS control due to unnecessary DB superuser privileges (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42833Shared CWE-250
CVE-2025-34274Shared CWE-250
CVE-2026-32643Shared CWE-250
CVE-2025-13375Shared CWE-250
CVE-2025-34515Shared CWE-250
CVE-2024-43653Shared CWE-250
CVE-2025-33223Shared CWE-250
CVE-2024-12673Shared CWE-250
CVE-2025-40942Shared CWE-250
CVE-2025-22890Shared CWE-250

Affected Assets

percona
monitoring and management
≤ 3.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-6 enforces least privilege, directly mitigating the excessive superuser privileges held by the internal database user that allow pmm-admin attackers to execute OS shell commands via the Add data source feature.

prevent

SI-2 requires timely identification, reporting, and correction of system flaws, directly addressing this vulnerability through upgrades to Percona PMM 3.7 or later.

prevent

AC-3 mandates enforcement mechanisms for approved authorizations, preventing pmm-admin users from breaking out of the database context to execute arbitrary shell commands on the OS.

References