cbcvebase.
CVE-2025-41115
published 2025-11-21

CVE-2025-41115: SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing…

PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
17.29%
96.7th percentile
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation. This vulnerability applies only if all of the following conditions are met: - `enableSCIM` feature flag set to true - `user_sync_enabled` config option in the `[auth.scim]` block set to true

Affected

7 ranges
VendorProductVersion rangeFixed in
github.comgrafana_grafana>= 1.9.2-0.20250310110405-e6fdb746f235 < 1.9.2-0.20251106142618-ca5d898120151.9.2-0.20251106142618-ca5d89812015
github.comgrafana_grafana>= 1.9.2-0.20250310110405-e6fdb746f235
github.comgrafana_grafana>= 12.0.0 < 12.0.712.0.7
github.comgrafana_grafana>= 12.1.0 < 12.1.412.1.4
github.comgrafana_grafana>= 12.2.0 < 12.2.212.2.2
grafanagrafana>= 12.0.0 < 12.2.112.2.1
grafanagrafana_enterprise>= 12.0.0 < 12.2.112.2.1

Detection & IOCsextracted from sources · hover to see the quote

url/api/scim/v2/Users
otherapplication/scim+json
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Grafana SCIM User Provisioning Privilege Escalation (CVE-2025-41115)"; flow:established,to_server; http.uri; content:"/api/scim/v2/Users"; fast_pattern; http.content_type; content:"application/scim+json"; http.request_body; content:"|22|externalId|22 3a|"; pcre:"/^\s*?\x22\d+\x22/R"; reference:url,github.com/B1ack4sh/Blackash-CVE-2025-41115; reference:cve,2025-41115; classtype:web-application-attack; sid:2065927; rev:1; metadata:affected_product Grafana, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_26, cve CVE_2025_41115, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|22|externalId|22 3a| followed by pcre /^\s*?\x22\d+\x22/R (numeric externalId in request body)
  • Only Grafana Enterprise 12.0.0–12.2.1 instances with BOTH enableSCIM feature flag AND user_sync_enabled set to true are exploitable; triage alerts by confirming these config conditions before escalating.
  • Monitor SCIM provisioning API traffic (POST/PUT to /api/scim/v2/Users) for externalId fields containing only digits; legitimate identity providers should supply non-numeric, globally unique externalId values.
  • The Emerging Threats rule (sid:2065927) targets TLS-decrypted traffic; deploy in SSLDecrypt/TLSDecrypt environments to ensure coverage of HTTPS Grafana endpoints.
  • ·Vulnerability is only exploitable when BOTH enableSCIM feature flag AND user_sync_enabled are set to true in [auth.scim]; instances with either option disabled are not affected.
  • ·Grafana OSS is not affected; only Grafana Enterprise 12.0.0–12.2.1 (self-managed) is vulnerable. Grafana Cloud, Amazon Managed Grafana, and Azure Managed Grafana have already been patched.
  • ·SCIM provisioning is in 'Public Preview' with limited support, so adoption may not be widespread — scope detection efforts accordingly.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.