Grafana Enterprise – Critical Security Fix (CVE-2025-41115)

Security Team
Dec 4, 2025
2 min read

ICS Labs' CTI has identified a critical vulnerability in Grafana Enterprise (CVE-2025-41115), with a CVSS score of 10.0, affecting versions 12.0.0 through 12.2.1. The flaw is related to the SCIM (System for Cross-domain Identity Management) feature, introduced for automated user and team management. In specific configurations, a malicious or compromised SCIM client can provision users with a numeric externalId, allowing internal ID overwriting and enabling impersonation or privilege escalation, including access to the administrator account. This scenario poses a high risk for corporate environments that use SCIM for identity synchronization.

Threat Overview:

The vulnerability occurs when the options enableSCIM and user_sync_enabled are enabled. Grafana maps the externalId directly to the internal user.uid, and numeric values can be interpreted as legitimate internal IDs. This allows a newly provisioned user to be treated as an existing account, such as Admin, resulting in full system compromise. Exploitation does not require complex interaction—only an active SCIM configuration—making this a low-complexity, high-severity attack.

Key Points of Concern:

Possibility of taking over privileged accounts, including Admin.
Privilege escalation without requiring additional credentials.
High risk in environments with SCIM enabled for automated user lifecycle management.
Direct impact on the integrity and confidentiality of the monitoring environment.
Vulnerability does not affect Grafana OSS, only Grafana Enterprise with SCIM enabled.

Recommended Actions:

Immediately update to one of the patched versions: Grafana Enterprise 12.3.0, 12.2.1, 12.1.3, or 12.0.6.
Review logs and monitor for suspicious activity after updating.
Apply hardening practices and network segmentation.
Implement monitoring to detect changes in privileged accounts.

Latest Updates: