CVE-2025-26398 PUBLISHED

SolarWinds Database Performance Analyzer Hard-coded Cryptographic Key Vulnerability

Assigner: SolarWinds
Reserved: 08.02.2025 Published: 12.08.2025 Updated: 13.08.2025

SolarWinds Database Performance Analyzer was found to contain a hard-coded cryptographic key. If exploited, this vulnerability could lead to a machine-in-the-middle (MITM) attack against users. This vulnerability requires additional software not installed by default, local access to the server and administrator level privileges on the host.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
CVSS Score: 5.6

Attack Vector	Local	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	SolarWinds
Product	Database Performance Analyzer
Versions	Default: affected Version 2025.2 and below is affected

Solutions

SolarWinds recommends that customers upgrade to SolarWinds

Database Performance Analyzer 2025.3

as soon as it becomes available.

References

Problem Types

CWE-798 Use of Hard-coded Credentials CWE

Impacts

CAPEC-21 Exploitation of Trusted Credentials