CVE-2025-26701 Overview
A critical vulnerability has been discovered in Percona PMM Server (OVA) before version 3.0.0-1.ova involving default service account credentials. This hardcoded credentials vulnerability allows attackers to gain SSH access to the server, escalate privileges to root using Sudo, and access sensitive data. The vulnerability represents a severe security risk for organizations using affected versions of Percona Monitoring and Management (PMM) deployed as OVA images.
Critical Impact
Attackers can exploit default service account credentials to gain SSH access, escalate to root privileges via Sudo, and expose sensitive monitoring data across the entire infrastructure.
Affected Products
- Percona PMM Server (OVA) versions before 3.0.0-1.ova
- Percona PMM2 versions prior to 2.42.0-1.ova
- Percona PMM3 versions prior to 3.0.0-1.ova
Discovery Timeline
- 2025-03-11 - CVE CVE-2025-26701 published to NVD
- 2025-03-11 - Last updated in NVD database
Technical Details for CVE-2025-26701
Vulnerability Analysis
This vulnerability stems from the use of default service account credentials shipped with Percona PMM Server OVA images. The flaw allows unauthenticated attackers with network access to connect to the SSH service using the known default credentials. Once authenticated, the attacker can leverage Sudo privileges associated with the service account to escalate to root, gaining complete control over the monitoring server and potentially accessing sensitive data collected from monitored database instances.
The vulnerability is classified under CWE-1393 (Use of Default Password), indicating that the root cause is the inclusion of predictable, unchangeable, or improperly secured default credentials in the software distribution.
Root Cause
The vulnerability exists because Percona PMM Server OVA images were distributed with default service account credentials that were not randomized during deployment or required to be changed on first use. This design flaw allows anyone with knowledge of the default credentials to authenticate to the system, bypassing intended access controls.
Attack Vector
The attack can be executed remotely over the network without any prior authentication or user interaction. An attacker would:
- Identify a Percona PMM Server instance accessible over the network
- Attempt SSH authentication using the known default service account credentials
- Upon successful authentication, execute Sudo commands to escalate privileges to root
- Access sensitive monitoring data, configuration files, and potentially pivot to monitored systems
The attack is classified as network-based with low complexity, requiring no privileges or user interaction, making it highly exploitable in environments where PMM Server instances are exposed.
Detection Methods for CVE-2025-26701
Indicators of Compromise
- Unexpected SSH login events to PMM Server from external or unknown IP addresses
- Sudo privilege escalation attempts by the default service account
- Unusual access patterns to monitoring data or configuration files
- New user accounts or SSH keys added to the system
- Modification of authentication-related configuration files
Detection Strategies
- Monitor SSH authentication logs for successful logins using the default service account
- Implement alerting for Sudo commands executed by service accounts
- Review access logs for sensitive monitoring data and configuration endpoints
- Deploy network segmentation monitoring to detect unauthorized access to PMM Server ports
- Use SentinelOne Singularity to detect privilege escalation and suspicious command execution
Monitoring Recommendations
- Enable comprehensive SSH logging and centralize logs for analysis
- Implement failed login attempt monitoring and rate limiting on SSH services
- Deploy network intrusion detection to identify scanning attempts targeting PMM Server
- Configure alerts for any Sudo usage by service accounts outside maintenance windows
How to Mitigate CVE-2025-26701
Immediate Actions Required
- Immediately change default service account credentials on all Percona PMM Server instances
- Restrict SSH access to PMM Server to trusted IP ranges or VPN connections only
- Audit current access logs for signs of compromise before patching
- Disable the default service account if not required for operations
- Apply the latest security patches from Percona as outlined below
Patch Information
Percona has released fixed versions that address this vulnerability. Organizations should upgrade to one of the following patched versions:
PMM2 Fixed Versions:
- 2.42.0-1.ova
- 2.43.0-1.ova
- 2.43.1-1.ova
- 2.43.2-1.ova
- 2.44.0-1.ova
PMM3 Fixed Versions:
- 3.0.0-1.ova and later
For detailed upgrade instructions and security guidance, refer to the Percona Security Advisory.
Workarounds
- Restrict network access to SSH port (22) using firewall rules to allow only trusted management IPs
- Implement network segmentation to isolate PMM Server from untrusted networks
- Deploy SSH key-based authentication and disable password authentication entirely
- Remove or disable the default service account if operationally feasible
- Use a bastion host or jump server for all SSH access to PMM infrastructure
# Example: Restrict SSH access to trusted IP range using iptables
iptables -A INPUT -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
# Disable password authentication in SSH (use key-based auth only)
# Edit /etc/ssh/sshd_config and set:
# PasswordAuthentication no
# Then restart SSH service
systemctl restart sshd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
