Over 46,000 Grafana instances exposed to account takeover bug

4 months ago 22

Over 46,000 Grafana instances exposed to account takeover bug

More than 46,000 internet-facing Grafana instances remain unpatched and exposed to a client-side open redirect vulnerability that allows executing a malicious plugin and account takeover.

The flaw is tracked as CVE-2025-4123 and impacts multiple versions of the open-source platform used for monitoring and visualizing infrastructure and application metrics.

The vulnerability was discovered by bug bounty hunter Alvaro Balada and was addressed in security updates that Grafana Labs released on May 21.

However, as of writing this, more than a third of all Grafana instances reachable over the public internet have not been patched, according to researchers at aplication security company OX Security, who refer to the bug as ‘The Grafana Ghost’.

The analysts told BleepingComputer that their work focused on demonstrating the ability to weaponize Balada's finding.

After identifying versions vulnerable to the attack, they assesed the exposure by correlating the data with the platform's distribution across the ecosystem.

They found 128,864 instances exposed online, with 46,506 still running vulnerable versions that can still be exploited. This corresponds to a percentage of about 36%.

Vulnerable Grafana endpoints as of June 13Vulnerable Grafana endpoints
Source: BleepingComputer

OX Security’s in-depth analysis of CVE-2025-4123 uncovered that, through a series of exploitation steps combining client-side path traversal with open redirect mechanics, attackers can lure victims into clicking URLs that lead to loading a malicious Grafana plugin from a site controlled by the threat actor.

The malicious links could be used to execute arbitrary JavaScript in the user’s browser, the researchers say.

The exploitation processThe exploitation process
Source: OX Security

The exploit does not require elevated privileges and can function even if anonymous access is enabled.

The flaw permits attackers to hijack user sessions, change account credentials, and, in cases where the Grafana Image Renderer plugin is installed, perform server-side request forgery (SSRF) to read internal resources.

While the default Content Security Policy (CSP) in Grafana provides some protection, it does not prevent exploitation due to limitations in client-side enforcement.

OX Security’s exploit demonstrates that CVE-2025-4123 can be exploited client-side and could be leveraged to bypass modern browser normalization mechanisms by through JavaScript routing logic native to Grafana.

This allows attackers to exploit URL handling inconsistencies to serve malicious plugins, which in turn modify user email addresses, making account hijacking via password resets trivial.

Although CVE-2025-4123 has several exploitation requirements, like user interaction, an active user session when the victim clicks the link, and having the plugin feature enabled (is enabled by default), the large number of exposed instances and the lack for need of authentication create a significant attack surface.

To mitigate the risk of exploitation, it is recommended that Grafana administrators upgrade to versions 10.4.18+security-01, 11.2.9+security-01, 11.3.6+security-01, 11.4.4+security-01, 11.5.4+security-01, 11.6.1+security-01, and 12.0.0+security-01.

Tines Needle

Why IT teams are ditching manual patch management

Patching used to mean complex scripts, long hours, and endless fire drills. Not anymore.

In this new guide, Tines breaks down how modern IT orgs are leveling up with automation. Patch faster, reduce overhead, and focus on strategic work -- no complex scripts required.

Read Entire Article