A critical security vulnerability in Grafana Enterprise could allow attackers to escalate privileges and impersonate users. Tracked as CVE-2025-41115, the flaw carries the maximum CVSS score of 10.0. Continue reading this Cybersecurity Threat Advisory to learn how to protect you and your clients’ environments.
What is the threat?
Grafana Enterprise and Grafana Cloud versions 12.x contain a provisioning vulnerability in the SCIM (System for Cross-domain Identity Management) feature. A malicious or compromised SCIM client can create a user with a numeric external ID, potentially overriding internal user IDs. Exploitation requires two conditions: the enableSCIM feature flag set to true and the user_sync_enabled option in the [auth.scim] block enabled. The issue affects Grafana Enterprise versions 12.0.0 through 12.2.1, with fixes available in 12.0.6+security-01, 12.1.3+security-01, 12.2.1+security-01, and 12.3.0.
Why is it noteworthy?
Grafana maps the SCIM external ID directly to the internal user.id. Numeric values (e.g., “1”) can therefore become internal user IDs. In certain cases, a newly provisioned user may be treated as an existing account—such as Admin—allowing attackers to impersonate users or escalate privileges.
What is the exposure or risk?
This CVSS 10.0 vulnerability poses a severe risk to organizations using Grafana Enterprise for monitoring and analytics. Exploitation lets attackers impersonate existing users—including administrators—and escalate privileges to gain full control of the Grafana environment. This can lead to unauthorized access to sensitive dashboards, exposure of critical operational and security data, and disruption of monitoring systems essential for decision-making and incident response. Beyond operational impact, a successful attack may cause regulatory non-compliance, reputational damage, and significant financial losses from data breaches and service interruptions. Immediate remediation is critical to protect core infrastructure and business processes.
What are the recommendations?
Barracuda strongly recommends the following actions to secure you and your clients’ environments:
- Update to the latest patched version of Grafana Enterprise.
- Disable SCIM provisioning immediately if it is not actively in use.
- Set enableSCIM to false.
- Disable user_sync_enabled in the [auth.scim] configuration.
- Audit existing user accounts for any unauthorized changes.
- Monitor for suspicious user activity and potential identity manipulation.
References
For more in-depth information about the recommendations, please visit the following links:
- Grafana Patches CVSS 10.0 SCIM Flaw Enabling Impersonation and Privilege Escalation
- Attackers Escalate Privilege Through Critical Grafana Vulnerability
- Critical Grafana Enterprise Security Flaw CVE-2025-41115: Maximum Severity SCIM Vulnerability Enables User Impersonation and Administrative Privilege Escalation – Security Blog
- CVE-2025-41115 – Exploits & Severity – Feedly
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.