Warning: Grafana Fixes a Critical Vulnerability in SCIM Enabling Impersonation and Privilege Escalation, Patch Immediately!

Image
Decorative image
Gepubliceerd : 25/11/2025
  • Last update: 25/11/2025
  • Affected software:
    → Grafana Enterprise 12.0.6+security-01
    → Grafana Enterprise 12.1.3+security-01
    → Grafana Enterprise 12.2.1+security-01
    → Grafana Enterprise 12.3.0
  • Type: Impersonation and Privilege Escalation
  • CVE/CVSS
    → CVE-2025-41115: CVSS 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Sources

https://grafana.com/blog/2025/11/19/grafana-enterprise-security-update-critical-severity-security-fix-for-cve-2025-41115/

Risks

CVE-2025-41115 is a critical vulnerability in the SCIM (System for Cross-domain Identity Management) provisioning feature of Grafana Enterprise. Successful exploitation of this vulnerability could allow an attacker to escalate privileges and impersonate users.

Although no exploits have been reported in the wild yet, the severity and ease of exploitation make this issue a priority for organizations using Grafana Enterprise with SCIM provisioning enabled.

This vulnerability has a high impact on the confidentiality, integrity and availability of the Grafana system.

Description

CVE-2025-41115 is a critical security vulnerability affecting Grafana Enterprise 12.0.0 to 12.2.1, specifically affecting the SCIM setup feature introduced to automate user lifecycle management.

This vulnerability results from improper management of user identity attributes, particularly the externalId field. This numeric externalId can override internal user IDs within Grafana, leading to unauthorized impersonation of existing users or privilege escalation to higher access levels.

The vulnerability does not require any prior authentication or user interaction, making it exploitable remotely via the network.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

https://www.tenable.com/cve/CVE-2025-41115