Ethical Hacking News
Grafana Labs has issued a critical security warning regarding a maximum severity vulnerability (CVE-2025-41115) in its Enterprise product that can be exploited to treat new users as administrators or for privilege escalation. To address this risk, administrators must apply one of the recommended updates and prioritize their security posture to prevent potential attacks.
The critical security warning (CVE-2025-41115) in Grafana Enterprise is related to SCIM provisioning. The vulnerability can treat new users as administrators or cause privilege escalation when the 'enableSCIM' feature flag and 'user_sync_enabled' options are set to true. Users with numeric externalIds that map to internal accounts, including administrators, may be affected. Grafana Enterprise versions between 12.0.0 and 12.2.1 are impacted when SCIM is enabled. Administrators can apply updates from Grafana Enterprise version 12.3.0 to patch the vulnerability.
Grafana Labs has issued a critical security warning regarding a maximum severity vulnerability (CVE-2025-41115) in its Enterprise product that can be exploited to treat new users as administrators or for privilege escalation. This vulnerability is specifically related to the use of SCIM (System for Cross-domain Identity Management) provisioning, which is currently in 'Public Preview' and has limited support available.
The issue arises when both 'enableSCIM' feature flag and 'user_sync_enabled' options are set to true, allowing a malicious or compromised SCIM client to provision a user with a numeric externalId that maps to an internal account, including administrators. The externalId is a SCIM bookkeeping attribute used by the identity provider to track users, and Grafana has mapped this value directly to its internal user.uid.
In specific cases, this could allow the newly provisioned user to be treated as an existing internal account, such as the Admin, leading to potential impersonation or privilege escalation. This vulnerability impacts Grafana Enterprise versions between 12.0.0 and 12.2.1 (when SCIM is enabled).
To address this risk, administrators of self-managed installations can apply one of the following updates:
* Grafana Enterprise version 12.3.0
* Grafana Enterprise version 12.2.1
* Grafana Enterprise version 12.1.3
* Grafana Enterprise version 12.0.6
Grafana Labs recommends upgrading to one of the patched versions as soon as possible, as this vulnerability can be exploited by attackers who have access to a SCIM client.
This critical security update was introduced roughly 24 hours after its discovery on November 4th. The public release of the security update and the accompanying bulletin followed on November 19th. Grafana Cloud services, including Amazon Managed Grafana and Azure Managed Grafana, have already received the patches.
It is worth noting that Grafana OSS users are not impacted by this vulnerability, as it only affects Enterprise versions with SCIM provisioning enabled. However, users of self-managed installations should take immediate action to address this risk and apply one of the recommended updates.
The incident highlights the importance of staying up-to-date with security patches and configuring systems properly to prevent exploitation. As with any critical vulnerability, it is essential for organizations to prioritize their security posture and take proactive measures to protect themselves from potential attacks.
GreyNoise reported unusually elevated scanning activity targeting an old path traversal flaw in Grafana last month, which could be used for mapping exposed instances in preparation for the disclosure of a new flaw. This incident serves as a reminder that cybersecurity threats are constantly evolving, and organizations must remain vigilant to stay ahead of emerging risks.
Related Information:
https://www.ethicalhackingnews.com/articles/Grafana-Warns-of-Critical-SCIM-Vulnerability-Affecting-Enterprise-Users-ehn.shtml
https://www.bleepingcomputer.com/news/security/grafana-warns-of-max-severity-admin-spoofing-vulnerability/
https://nvd.nist.gov/vuln/detail/CVE-2025-41115
https://www.cvedetails.com/cve/CVE-2025-41115/
Published: Fri Nov 21 12:05:45 2025 by llama3.2 3B Q4_K_M
