CVE-2025-26398

SolarWinds Database Performance Analyzer was found to contain a hard-coded cryptographic key. If exploited, this vulnerability could lead to a machine-in-the-middle (MITM) attack against users. This vulnerability requires additional software not installed by default, local access to the server and administrator level privileges on the host.

CVSS v3 5.6 MEDIUM

5.6^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.3 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://documentation.solarwinds.com/en/success_center/dpa/content/release_notes/dpa_2025-3_release_notes.htm	Release Notes Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-26398	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:solarwinds:database_performance_analyzer:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-08-12 08:15

Updated : 2025-11-17 16:10

NVD link : CVE-2025-26398

Mitre link : CVE-2025-26398

CVE.ORG link : CVE-2025-26398

JSON object : View

Products Affected

solarwinds

database_performance_analyzer

CWE

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2025-26398", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@solarwinds.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.6, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 0.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.5}]}, "published": "2025-08-12T08:15:26.193", "references": [{"url": "https://documentation.solarwinds.com/en/success_center/dpa/content/release_notes/dpa_2025-3_release_notes.htm", "tags": ["Release Notes", "Vendor Advisory"], "source": "psirt@solarwinds.com"}, {"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-26398", "tags": ["Patch", "Vendor Advisory"], "source": "psirt@solarwinds.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "psirt@solarwinds.com", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "SolarWinds Database Performance Analyzer was found to contain a hard-coded cryptographic key. If exploited, this vulnerability could lead to a machine-in-the-middle (MITM) attack against users. This vulnerability requires additional software not installed by default, local access to the server and administrator level privileges on the host."}, {"lang": "es", "value": "Se descubri\u00f3 que SolarWinds Database Performance Analyzer conten\u00eda una clave criptogr\u00e1fica codificada. Si se explota, esta vulnerabilidad podr\u00eda provocar un ataque de m\u00e1quina en el medio (MITM) contra los usuarios. Esta vulnerabilidad requiere software adicional no instalado por defecto, acceso local al servidor y privilegios de administrador en el host."}], "lastModified": "2025-11-17T16:10:05.080", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:solarwinds:database_performance_analyzer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7E94BDA9-997F-434F-AE62-D9CED8BDB2CF", "versionEndExcluding": "2025.3"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@solarwinds.com"}