A critical security vulnerability has been identified in Percona Monitoring and Management (PMM) Open Virtual Appliance (OVA) installations, posing a significant risk to database environments. The vulnerability, tracked as CVE-2025-26701 with a CVSS score of 10, enables unauthorized root access and potential exposure of sensitive system credentials.
PMM is a widely used open-source database monitoring, management, and observability solution for MySQL, PostgreSQL, and MongoDB. It provides essential tools for database health observation, performance trend analysis, issue troubleshooting, and database management tasks across on-premises and cloud environments.
The vulnerability stems from default service account credentials in OVA provisioning, which can lead to:
-
Unauthorized SSH access
-
Privilege escalation to root via sudo capabilities
-
Potential exposure of service credentials and configurations
Successful exploitation of this vulnerability could grant attackers complete control over affected systems, potentially leading to data breaches, service disruptions, and other severe consequences.
The following PMM deployments are known to be affected:
- PMM Open Virtual Appliance (OVA) installations ≥ 2.38
Percona advises that this list will be updated if additional affected products are identified.
Crucially, this vulnerability ONLY impacts OVA installations. Other deployment methods are not affected, including:
-
Docker/Podman containers
-
Amazon Machine Images (AMIs)
-
Kubernetes deployments (via Helm)
Percona strongly urges users of affected PMM OVA installations to take the following immediate actions:
-
UPGRADE IMMEDIATELY to PMM 2.44.0-1 or PMM 3.0.0-1 (strongly recommended).
-
CHANGE ALL CREDENTIALS for connected services.
-
AUDIT ACCESS LOGS for potential unauthorized access.
Percona also reminds users of the following critical security best practice:
- Restrict SSH Access: PMM OVA installations should never have port 22 exposed to the public internet unless additional security hardening measures have been implemented. Always utilize firewalls, VPNs, or other secure remote access methods.
