CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-26701

CVSS 10.0v3.1pub. 2025-03-11upd. 2026-04-15

An issue was discovered in Percona PMM Server (OVA) before 3.0.0-1.ova. The default service account credentials can lead to SSH access, use of Sudo to root, and sensitive data exposure. This is fixed in PMM2 2.42.0-1.ova, 2.43.0-1.ova, 2.43.1-1.ova, 2.43.2-1.ova, and 2.44.0-1.ova and in PMM3 3.0.0-1.ova and later.

🤖 AI Analysis
How it works

Percona PMM Server in OVA version is supplied with default, unsecured credentials for the built-in service account. An attacker can use these credentials to establish an SSH session with the virtual machine. After gaining access, it is possible to use the Sudo mechanism to escalate privileges to root (privilege escalation), and then gain unrestricted access to all system resources and stored sensitive data.

Impact

An attacker can gain full control over the server operating system (root privileges), enabling reading, modification, or deletion of monitoring data, as well as compromising the infrastructure managed by PMM.

Mitigation & patch

PMM2 should be updated to one of the following versions: 2.42.0-1.ova, 2.43.0-1.ova, 2.43.1-1.ova, 2.43.2-1.ova, or 2.44.0-1.ova, and PMM3 should be updated to version 3.0.0-1.ova or later. Detailed information is available in the vendor's security bulletin at the address provided in references.

Who is affected

Percona PMM Server in OVA format — all PMM2 versions before 2.42.0-1.ova and PMM3 before 3.0.0-1.ova

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References