Latest Grafana Enterprise vulnerability: CVE-2025-41115 #
Grafana has issued a security update for a vulnerability found within the SCIM (System for Cross-domain Identity Management) component of the Grafana Enterprise product. Successful exploitation allows a remote, unauthenticated adversary to impersonate users and potentially gain administrative access to the platform. The vulnerability, designated CVE-2025-41115, is rated critical with a base CVSS score of 10.
The following versions are affected
- Grafana Enterprise versions 12.0.0 through 12.2.1
What is Grafana Enterprise? #
Grafana Enterprise is a commercial, self-hosted version of the open-source Grafana platform which includes premium features for enterprises including professional support.
What is the impact? #
Successful exploitation of the vulnerability could allow a remote unauthenticated adversary to gain administrative access to the system.
Are updates or workarounds available? #
Upgrade affected systems to the new versions
- Grafana Enterprise 12.3.0 upgrade to version 12.3.0 with security patch or later
- Grafana Enterprise 12.2.0 upgrade to version 12.2.1 with security patch or later
- Grafana Enterprise 12.1.0 upgrade to version 12.1.3 with security patch or later
- Grafana Enterprise 12.0.0 upgrade to version 12.0.6 with security patch or later
How to find potentially vulnerable systems with runZero #
From the Software Inventory, use the following query to locate potentially impacted assets:
vendor:"Grafana" AND product:="Grafana%Enterprise" AND (version:>0 AND version:>="12.0.0")Grafana vulnerability (CVE-2021-43798) #
A zero-day vulnerability for Grafana, a popular analytics and visualization software, was leaked this week. This vulnerability provides attackers a path traversal attack vector that can result in data disclosure, resulting in access to files containing confidential information or credentials. Tracked as CVE-2021-43798 with a "high" CVSS score of 7.5, this path traversal vulnerability resides in the installed plugins path logic for a Grafana instance (e.g., <grafana_host_url>/public/plugins/<plugin-id>). Because Grafana installs with plugins by default, Grafana versions v8.0.0-beta1 through v8.3.0 are all vulnerable (Grafana Cloud is reportedly not vulnerable).
This vulnerability was originally disclosed to Grafana on December 3rd (prior to its leak as an 0-day). Grafana made patched versions available the day of the leak and advised anyone running a vulnerable version to update to a patched version as soon as possible. If upgrading isn't an option, Grafana provides mitigation strategy as well.
As a part of good cyber hygiene, you should shut down public access to Grafana servers (unless it is necessary).
How to find Grafana instances #
From the Asset Inventory, use the following pre-built query to locate potentially vulnerable Grafana instances within your network:
product:grafana
As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.
