CVE-2025-41115: A Maximum-Severity Privilege Escalation Vulnerability in the Grafana SCIM Component
Following the early November reveal of CVE-2025-48593, a critical RCE issue in the Android System component, another maximum-severity vulnerability is causing a stir in the cyber threat landscape. The newly identified Grafana flaw, tracked as CVE-2025-41115, could enable privilege escalation or user impersonation in specific configurations.
Grafana, as a popular open-source analytics platform, has been abused for offensive purposes throughout the last half-decade, posing a threat to its global users. For instance, in mid-June 2025, researchers uncovered an XSS vulnerability in Grafana, CVE-2025-4123, enabling adversaries to execute malicious plugins and compromise user accounts without requiring elevated permissions.
Such vulnerabilities underscore the growing volume of security issues impacting open-source ecosystems. The 2025 Open Source Security and Risk Analysis (OSSRA) report revealed that 86% of reviewed applications contained vulnerable open-source components, and 81% included flaws rated high or critical. These trends reinforce the ongoing need for proactive vigilance and real-time threat detection content, ensuring defenders can identify and mitigate emerging risks before they escalate.
Register now for the SOC Prime Platform, the industry-leading vendor-agnostic product suite built for real-time defenders, to discover a broad collection of curated detection content and AI-native threat intelligence, helping security teams stay ahead of attackers. Click Explore Detections to get access to context-enriched SOC content for vulnerability exploit detection filtered by the corresponding custom “CVE” tag.
Detection algorithms can be applied across dozens of widely adopted SIEM, EDR, and Data Lake solutions and are aligned with the MITRE ATT&CK® framework. Additionally, each rule is enriched with AI-native threat intel, including CTI links, attack timelines, audit configurations, triage recommendations, and other in-depth metadata.
Security teams can also take advantage of Uncoder AI to instantly convert IOCs into custom hunting queries, generate detection code from raw threat reports, visualize Attack Flow diagrams, enable ATT&CK tags prediction, translate detection content across multiple formats, and perform other daily detection engineering tasks end-to-end.
CVE-2025-41115 Analysis
Grafana has recently rolled out updated builds of Grafana Enterprise 12.3, along with refreshed versions 12.2.1, 12.1.3, and 12.0.6, each addressing a newly discovered maximum-severity vulnerability (CVE-2025-41115). The issue was discovered during an internal audit on November 4, 2025. The flaw has the highest possible CVSS score of 10.0 and affects the SCIM (System for Cross-domain Identity Management) feature, introduced in mid-spring 2025 and currently in public preview.
The issue appears in Grafana 12.x when SCIM provisioning is both enabled and configured. A malicious or compromised SCIM client can provision a user with a numeric externalId, potentially overriding internal user IDs and enabling impersonation, even of an admin account, or escalating privileges.
Exploitation requires both the enableSCIM feature flag and the user_sync_enabled option in the [auth.scim] configuration block to be enabled.
The vulnerability impacts Grafana Enterprise versions 12.0.0 through 12.2.1. Due to the fact that Grafana directly maps the SCIM externalId to its internal user.uid, numeric values can be misinterpreted as existing user IDs. In specific cases, this could cause a newly created user to be treated as an internal account with elevated privileges.Grafana instantly released patches as urgent CVE-2025-41115 mitigation measures. Due to the vulnerability severity, organizations are strongly encouraged to update immediately to reduce the risk of attacks. Rely on SOC Prime Platform that curates the world’s largest detection intelligence dataset and constantly updated detection content against emerging threats to reinforce your organization’s cybersecurity posture and preempt cyber attacks that matter most.
