What is CVE-2025-41115?
CVE-2025-41115 is a critical privilege escalation and user-impersonation vulnerability in Grafana Enterprise. The issue occurs within the SCIM (System for Cross-domain Identity Management) provisioning feature. When SCIM is enabled, Grafana incorrectly maps the externalId field supplied by a SCIM client to an internal user.uid. This allows a malicious or compromised SCIM client to create a user whose externalId matches the UID of an existing privileged account—most notably the default admin user (uid=1). Grafana then treats the attacker-created account as that privileged user, granting unrestricted administrative access without alerting defenders.
Because SCIM provisioning traffic often appears legitimate, traditional monitoring tools may not detect the malicious activity. The vulnerability is rated CVSS 10.0 (Critical) due to its simplicity, reliability, and potential for full system compromise.
Once exploited, an attacker can impersonate an administrator, manipulate dashboards and alerts, access connected databases and observability data, and pivot into other integrated systems. This makes the vulnerability especially dangerous for organizations that rely on Grafana as a central monitoring or operations console.
What assets are affected by CVE-2025-41115?
CVE-2025-41115 affects Grafana Enterprise 12.x deployments that have SCIM enabled. Impacted versions include:
- 12.0.0 through 12.2.1
enableSCIM = true[auth.scim].user_sync_enabled = true
Grafana OSS is not affected because SCIM is an Enterprise-only feature. Instances where SCIM is disabled are not vulnerable. Managed cloud offerings such as Amazon Managed Grafana and Azure Managed Grafana have already applied patches. The highest-risk assets are internet-facing Grafana Enterprise instances that expose login or SCIM endpoints. These are commonly found across cloud accounts, subsidiaries, or decentralized IT environments where visibility is limited.
Are fixes available?
Yes. Grafana Labs has released patched versions for all affected branches. The following releases include the fix for CVE-2025-41115:
- 12.0.6+security-01
- 12.1.3+security-01
- 12.2.1+security-01
- 12.3.0
Organizations running Grafana Enterprise 12.x with SCIM enabled should upgrade immediately. Disabling SCIM until upgrading provides temporary protection.
Are there any other recommended actions to take?
Beyond patching, organizations should take the following steps:
- Review whether SCIM is truly needed. Disable it and remove unused SCIM API tokens if it is not actively required.
- Restrict network access so only authorized identity providers or provisioning systems can reach SCIM endpoints.
- Audit provisioning logs for suspicious entries, especially newly created users with numeric externalId values associated with privileged accounts.
- Assess downstream systems connected to Grafana, as a compromised admin account may expose additional infrastructure.
Is CVE-2025-41115 being actively exploited?
So far, there are no confirmed reports of widespread exploitation, and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog.
However, proof-of-concept exploit code is publicly available, security researchers have demonstrated reliable admin-account takeover, and the CVE is trending across threat-intelligence feeds. Because the attack path is straightforward and requires minimal expertise, early exploitation is highly likely—especially targeting internet-facing instances.
How is CyCognito helping customers identify assets vulnerable to CVE-2025-41115?
CyCognito continuously discovers and analyzes externally exposed assets to help organizations understand whether CVE-2025-41115 may affect their environment. The platform identifies at-risk Grafana Enterprise instances on the public internet, highlights exposure conditions that increase the likelihood of exploitation such as internet-facing deployments where SCIM provisioning may be enabled, and prioritizes remediation based on business importance and potential impact.
An emerging threat advisory for CVE-2025-41115 was added to the CyCognito platform on November 23rd, and CyCognito is actively researching enhanced detection coverage for this vulnerability. The platform already surfaces exposed assets tied to Grafana technologies, and CyCognito advises customers to review any internet-facing Grafana Enterprise systems—especially those that may have SCIM enabled—to assess potential exposure even if they are not yet explicitly identified as running one of the affected versions.
Visit CyCognito’s Emerging Threats page for more information on related vulnerabilities.
How can CyCognito help your organization?
CyCognito helps you find every externally exposed Grafana asset, including the ones you didn’t know existed, then verifies whether they may be affected by CVE-2025-41115 instead of generating noise. By tying exposure to business context, CyCognito highlights which systems matter most so security teams can focus on real risk first, track remediation progress, and continuously monitor for re-exposure as environments change.
If your external footprint includes Grafana Enterprise—especially deployments where SCIM may be enabled—make sure they are upgraded to a patched version and restrict access to provisioning endpoints. To learn how CyCognito can help you understand your external attack surface and exposed risks, please visit our Contact Us page to schedule a demo.
