Skip to content
PERCONA MONITORING AND MANAGEMENT DOCUMENTATION

For help, click the link below to get free database assistance or contact our experts for personalized support.

Get help from Percona

Percona Monitoring and Management 3.3.1

Release date July 30th, 2025
Installation Installing Percona Monitoring and Management
Upgrade Migrate PMM 2 to PMM 3

Percona Monitoring and Management (PMM) is an open source database monitoring, management, and observability solution for MySQL, PostgreSQL, and MongoDB. PMM empowers you to:

  • monitor the health and performance of your database systems
  • identify patterns and trends in database behavior
  • diagnose and resolve issues faster with actionable insights
  • manage databases across on-premises, cloud, and hybrid environments

RCE vulnerability in PMM - Immediate action required

We have identified a critical Remote Command Execution (RCE) vulnerability affecting all PMM 2.x and PMM 3.x installations. This vulnerability allows users with CLI access to PMM Client nodes or those with admin-level privileges to exploit the API and execute unauthorized commands on registered nodes.

Affected installations

This vulnerability affects all PMM 2.x and 3.x deployments where PMM Client nodes are connected to the PMM Server. The security flaw originates from the pt-mysql-summary tool, a component of the Percona Toolkit that automatically collects MySQL system information and diagnostics from PMM Client installations.

Affected deployments Version Notes
All PMM installations with connected PMM Client nodes PMM 2.x and PMM 3.x Remote Command Execution vulnerability through pt-mysql-summary tool deployed when setting up PMM Clients

Remediation options

This release directly fixes the vulnerability and enhances overall security in all PMM deployments. To upgrade:

  1. Schedule a maintenance window to minimize disruption.
  2. Download the latest PMM release.
  3. Upgrade PMM Server, then upgrade PMM Client.
  4. Change all credentials for the services that PMM monitors, including database user accounts and any other credentials (e.g., API keys, SSH keys) PMM uses to connect to your infrastructure.
  5. Thoroughly check access logs for any potential unauthorized access attempts or suspicious activity.

If you are unable to upgrade to PMM 3.3.1 immediately, implement one of the following temporary measures to reduce risk. These options do not eliminate the vulnerability entirely. Prioritize upgrading to PMM 3.3.1 as soon as possible.

  1. Choose one of the following temporary mitigation options:

    • Make pt-mysql-summary script non-executable to keep the system information tool on disk but prevent it from being executed via the vulnerable path:
    sudo chmod -x /usr/local/percona/pmm/tools/pt-mysql-summary
    • Delete pt-mysql-summary to permanently remove the vulnerable tool from your system:
    sudo rm -f /usr/local/percona/pmm/tools/pt-mysql-summary

    Dashboard impact

    Both options impact the MySQL Instance Summary dashboard. Since pt-mysql-summary collects system information, disabling or removing this tool will remove CPU, memory, disk, and OS version information from the dashboard. Other performance metrics continue to be collected normally.

  2. Change all credentials for the services that PMM monitors, including database user accounts and any other credentials (e.g., API keys, SSH keys) PMM uses to connect to your infrastructure.

  3. Thoroughly check access logs for any potential unauthorized access attempts or suspicious activity.

Support & additional resources

We are available to assist you 24/7 if you need further clarification or assistance:

We will continue to provide updates as new information becomes available.