Executive Summary

Grafana Labs has addressed a critical-severity vulnerability, CVE-2025-41115, in its Grafana Enterprise product, assigning it the highest possible CVSS score of 10.0. The flaw allows a malicious or compromised SCIM client to impersonate any user, including administrators, leading to a complete takeover of the Grafana instance. The vulnerability is a logic flaw in how Grafana's System for Cross-domain Identity Management (SCIM) feature handles user provisioning. An attacker can craft a SCIM request that maps their external ID to the internal ID of a privileged user, thereby inheriting their permissions. The issue affects Grafana Enterprise versions 12.0.0 through 12.2.1 under specific configurations. Grafana has released patched versions and urges all on-premise customers to upgrade immediately.

Vulnerability Details

The vulnerability, CVE-2025-41115, is a privilege escalation flaw rooted in the SCIM implementation. SCIM is a standard used to automate user provisioning from an Identity Provider (IdP) to a Service Provider (like Grafana).

The core of the issue lies in the handling of the externalId attribute in a SCIM request. Grafana's code incorrectly mapped this attacker-controllable field directly to the internal user.uid field. The user.uid is an integer that uniquely identifies a user within Grafana's database and determines their role and permissions. The default administrator account, for example, typically has a user.uid of 1.

An attacker with control over a SCIM client could send a provisioning request for a new user but set the externalId to "1". Grafana would process this request and, due to the flaw, associate the new SCIM user with the existing user who has uid=1. This effectively grants the attacker's new account the same privileges as the default administrator, allowing complete impersonation and takeover without needing a password or any other form of authentication for that admin account.

Exploitation Status

The vulnerability was discovered internally by Grafana's security team on November 4, 2025. There is currently no evidence of this vulnerability being exploited in the wild. Grafana confirmed that its own Grafana Cloud instances were not vulnerable and were patched within hours of discovery. Patches were also coordinated with cloud partners like Amazon Managed Grafana and Azure Managed Grafana before the public disclosure.

Affected Systems

• Grafana Enterprise versions 12.0.0 through 12.2.1

For the vulnerability to be exploitable, the following two conditions must be met in the Grafana configuration file:

1. The SCIM feature flag must be enabled: enableSCIM=true
2. The user synchronization option must be enabled: user_sync_enabled=true

Impact Assessment

A successful exploit of CVE-2025-41115 results in a full administrative takeover of a Grafana Enterprise instance. Grafana is a central tool for monitoring and observability, often connected to dozens or hundreds of critical data sources, including databases, cloud environments, and application servers. An attacker with admin access could:

• View, modify, or delete any dashboard or data source.
• Extract sensitive credentials for connected data sources (e.g., database passwords, API keys).
• Create rogue administrator accounts to maintain persistence.
• Manipulate dashboards to hide malicious activity or cause misdirection during an incident.
• Pivot from Grafana into other parts of the corporate network using the stolen data source credentials.

Given Grafana's central role in many IT environments, the impact of a compromise is extremely severe.

IOCs

As this was discovered internally and there is no known exploitation, no IOCs are available.

Cyber Observables for Detection

Detection Methods

1. Vulnerability Identification: The most reliable detection method is to check the version of Grafana Enterprise and its configuration. Any instance between versions 12.0.0 and 12.2.1 with both enableSCIM and user_sync_enabled set to true is vulnerable.

2. Log Review: Review Grafana server logs for unusual SCIM activity. Specifically, look for logs indicating that a privileged user account (like admin) was updated via the SCIM sync process. An example log message might look like t=2025-11-19T10:00:00.000Z lvl=info logger=scim.sync message="User synced" user_id=1 ... where the update was not expected. This is a form of D3-LAM: Local Account Monitoring.

Remediation Steps

Grafana Labs has released patched versions to address this vulnerability. On-premise administrators must upgrade immediately.

1. Upgrade Grafana Enterprise: Upgrade to one of the following patched versions or later:

   • 12.3
   • 12.2.1
   • 12.1.3
   • 12.0.6

   This is the most effective remediation and is an application of D3-SU: Software Update.

2. Workaround: If upgrading is not immediately possible, disable the SCIM feature as a temporary mitigation. This can be done by setting enableSCIM = false in the grafana.ini configuration file and restarting the Grafana service. This is a form of D3-ACH: Application Configuration Hardening. However, this will break any automated user provisioning workflows and should only be a temporary measure.