cbcvebase.
CVE-2025-3415
published 2025-07-17

CVE-2025-3415: Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed…

PriorityP276medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.89%
54.9th percentile
Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01

Affected

8 ranges
VendorProductVersion rangeFixed in
github.comgrafana_grafana>= 0 < 1.9.2-0.20250514160932-04111e9f2afd1.9.2-0.20250514160932-04111e9f2afd
grafanagrafana>= 10.4.x < 10.4.19+security-0110.4.19+security-01
grafanagrafana>= 11.2.x < 11.2.10+security-0111.2.10+security-01
grafanagrafana>= 11.3.x < 11.3.7+security-0111.3.7+security-01
grafanagrafana>= 11.4.x < 11.4.5+security-0111.4.5+security-01
grafanagrafana>= 11.5.x < 11.5.5+security-0111.5.5+security-01
grafanagrafana>= 11.6.x < 11.6.2+security-0111.6.2+security-01
grafanagrafana>= 12.0.x < 12.0.1+security-0112.0.1+security-01

Detection & IOCsextracted from sources · hover to see the quote

urlGET /api/alertmanager/grafana/config/api/v1/alerts HTTP/1.1
other(?i)https?://oapi\.dingtalk\.com/robot/send\?access_token=[^&"\s]+
yara
contains_all(body, "dingtalk.com","dingding-context") AND contains(content_type, "application/json") AND status_code == 200
  • Send an unauthenticated or Viewer-authenticated GET request to /api/alertmanager/grafana/config/api/v1/alerts; a vulnerable Grafana instance will return HTTP 200 JSON containing both 'dingtalk.com' and 'dingding-context' strings, exposing the DingDing webhook URL with access token in plaintext.
  • Extract leaked DingDing webhook URLs matching the pattern https://oapi.dingtalk.com/robot/send?access_token=<TOKEN> from the alertmanager config API response body.
  • Shodan/FOFA asset discovery: search for Grafana instances using http.title:"grafana" or title="grafana" to identify potentially exposed targets.
  • The vulnerability allows Viewer-role users to access sensitive webhook URLs including API tokens through the alertmanager API without elevated privileges, due to misconfigured access control on the DingDing contact-point integration.
  • ·Exploitation requires the DingDing/DingTalk alerting integration to be explicitly configured in Grafana Alerting; instances without this integration configured are not affected.
  • ·Affected Grafana versions are those at or below 12.0.1 (and below 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01); fixed versions properly restrict access to DingDing integration settings.

CVSS provenance

nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
osv4.3MEDIUM
vulncheck4.3MEDIUM
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.