Executive Summary

A critical security vulnerability, identified as CVE-2025-41115 and assigned a maximum CVSS score of 10.0, has been discovered in the SCIM (System for Cross-domain Identity Management) provisioning feature of Grafana Enterprise. This flaw enables remote attackers to impersonate any user, including administrators, and escalate privileges without user interaction, provided certain configuration conditions are met. The vulnerability is not present in the open-source version of Grafana but exclusively affects Grafana Enterprise deployments with SCIM enabled and user synchronization active. The existence of a public proof-of-concept (PoC) exploit significantly elevates the risk profile, making immediate remediation imperative for all affected organizations. Failure to address this vulnerability could result in full administrative compromise of Grafana Enterprise instances, leading to potential data breaches, unauthorized access, and lateral movement within enterprise environments.

Technical Information

The CVE-2025-41115 vulnerability resides in the SCIM provisioning component of Grafana Enterprise versions 12.0.0 through 12.2.1. The flaw is triggered when the enableSCIM feature flag is set to true and the [auth.scim] user_sync_enabled configuration is also enabled. Under these conditions, a malicious or compromised SCIM client can submit a provisioning request containing a numeric externalId value. Due to improper input validation, Grafana directly maps this numeric externalId to an internal user identifier (user.uid). For example, if an attacker submits an externalId of "1", the system will associate the provisioned user with the internal user whose UID is 1—typically the default administrator account.

This mapping flaw allows the attacker to either overwrite the existing user or impersonate them, effectively granting themselves administrative privileges. The attack is conducted entirely over the network and does not require any user interaction, making it highly exploitable in environments where the SCIM endpoint is exposed to the internet or accessible by untrusted parties.

The technical exploitation sequence is as follows: an attacker crafts a SCIM provisioning request with a numeric externalId (such as "1"), sends it to the vulnerable Grafana Enterprise instance, and the application erroneously links the attacker’s account to the privileged internal user. This results in the attacker gaining full administrative access, including the ability to manage dashboards, access sensitive data, and modify system configurations.

The vulnerability is particularly dangerous in multi-tenant, SSO-enabled, or cloud-hosted environments, where SCIM is often used for automated user provisioning and synchronization with identity providers. The attack surface is further expanded in organizations that expose their Grafana Enterprise instances to the public internet or have weak access controls around the SCIM API.

A public PoC exploit is available on GitHub, which automates the attack process. The exploit demonstrates how an attacker can gain administrative access by sending a single crafted request, and it provides clear evidence of the vulnerability’s ease of exploitation. The exploit output typically shows successful privilege escalation, with the attacker able to log in as the compromised user and perform administrative actions.

Indicators of compromise include audit logs showing the creation of new users with numeric externalId values (such as "1" or "2"), unexpected privilege escalations, the appearance of new administrative accounts, and logins from unusual IP addresses or service accounts. SCIM API traffic containing POST or PUT requests to /api/scim/v2/Users with numeric externalId values is a strong indicator of attempted or successful exploitation.

The vulnerability is mapped to the following MITRE ATT&CK techniques: T1078 (Valid Accounts), as exploitation results in the attacker obtaining valid administrative credentials, and T1136 (Create Account), since the attacker can create or overwrite privileged accounts.

Exploitation in the Wild

As of the latest public disclosures, there have been no confirmed reports of in-the-wild exploitation of CVE-2025-41115. However, the situation is highly dynamic due to the availability of a working public PoC exploit on GitHub. The exploit, published in the repository B1ack4sh/Blackash-CVE-2025-41115, allows anyone with network access to a vulnerable Grafana Enterprise instance to automate the attack and gain administrative privileges.

The attack surface is significant for organizations that have exposed their Grafana Enterprise SCIM endpoints to the internet or have not restricted access to trusted identity providers. The risk is especially acute in environments where SCIM is used for automated user provisioning, as these systems are often integrated with critical identity and access management infrastructure.

Security researchers and threat intelligence teams have observed increased scanning activity targeting Grafana endpoints since the disclosure of the vulnerability and the release of the PoC. While no major breaches have been publicly attributed to this flaw yet, the criticality and ease of exploitation make it a high-priority target for both opportunistic attackers and advanced persistent threats.

APT Groups using this vulnerability

At the time of this advisory, there is no public evidence or attribution linking any specific advanced persistent threat (APT) groups or nation-state actors to the exploitation of CVE-2025-41115. No major cybercriminal groups or APTs have claimed responsibility for attacks leveraging this vulnerability, and no targeted campaigns have been reported in open-source threat intelligence feeds.

However, the critical nature of the vulnerability, combined with the availability of a public PoC, makes it highly likely that both opportunistic and targeted attackers will attempt to exploit it in the near future. The vulnerability’s potential for privilege escalation and administrative compromise aligns with the tactics, techniques, and procedures (TTPs) commonly employed by APT groups seeking to gain persistent access to enterprise environments. Organizations in sectors such as finance, healthcare, government, and technology—especially those with multi-tenant or cloud-hosted Grafana Enterprise deployments—should remain vigilant and monitor for signs of exploitation.

Affected Product Versions

The vulnerability affects the following versions of Grafana Enterprise: 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.0.5, 12.1.0, 12.1.1, 12.1.2, 12.2.0, and 12.2.1. All of these versions are vulnerable if the SCIM feature is enabled and user synchronization is active. The open-source version of Grafana is not affected.

Patched versions that address the vulnerability are Grafana Enterprise 12.0.6, 12.1.3, 12.2.1+security-01, 12.3.0, and all subsequent releases. Organizations running any of the affected versions should upgrade immediately to a patched release to mitigate the risk of exploitation.

Workaround and Mitigation

The most effective mitigation is to upgrade Grafana Enterprise to version 12.3.0 or the latest available patched maintenance release, such as 12.0.6, 12.1.3, or 12.2.1+security-01. Upgrading will eliminate the vulnerability and restore the integrity of the SCIM provisioning process.

If immediate upgrade is not feasible, organizations should disable the SCIM feature by setting the enableSCIM flag to false and/or configuring [auth.scim] user_sync_enabled = false in the Grafana configuration file. This will prevent the vulnerable code path from being executed and block exploitation attempts.

Additionally, access to the SCIM endpoint should be restricted to trusted identity providers and internal networks only. Exposing the SCIM API to the public internet or untrusted networks significantly increases the risk of exploitation. Network segmentation, firewall rules, and API gateway controls should be implemented to limit access.

For detection, security teams should monitor Grafana audit logs for the creation of new users with numeric externalId values, unexpected privilege escalations, and logins from unusual IP addresses. SCIM API traffic should be inspected for POST or PUT requests to /api/scim/v2/Users containing numeric externalId values. Any such activity should be treated as a potential indicator of compromise and investigated immediately.

References

For further technical details and official guidance, please consult the following resources:

Grafana Security Advisory (CVE-2025-41115): https://grafana.com/security/security-advisories/cve-2025-41115/

The Hacker News: Grafana Patches CVSS 10.0 SCIM Flaw: https://thehackernews.com/2025/11/grafana-patches-cvss-100-scim-flaw.html

GitHub PoC: B1ack4sh/Blackash-CVE-2025-41115: https://github.com/B1ack4sh/Blackash-CVE-2025-41115

LinkedIn Disclosure by Grímur Grímursson: https://www.linkedin.com/posts/grimur-grimursson_github-b1ack4shblackash-cve-2025-41115-activity-7397662726858096640-nQai

NVD Entry for CVE-2025-41115: https://nvd.nist.gov/vuln/detail/CVE-2025-41115

Rescana is here for you

At Rescana, we understand that the evolving threat landscape demands proactive and comprehensive risk management. Our Third-Party Risk Management (TPRM) platform empowers organizations to continuously monitor, assess, and mitigate cyber risks across their entire digital supply chain. By leveraging advanced threat intelligence, automated assessments, and real-time alerts, we help you stay ahead of emerging vulnerabilities and ensure the resilience of your critical assets. If you have any questions about this advisory or require further assistance, our team is ready to support you at ops@rescana.com.