A important vulnerability affecting over 46,000 publicly accessible Grafana cases worldwide, with 36% of all public-facing deployments weak to finish account takeover assaults.
The newly found flaw, designated CVE-2025-4123 and dubbed “The Grafana Ghost,” represents a major menace to organizations counting on the favored open-source analytics and visualization platform for monitoring important infrastructure.
Grafana Account Takeover (CVE-2025-4123)
CVE-2025-4123 operates as a classy chain of exploits that begins with a seemingly harmless malicious hyperlink despatched to victims.
When clicked, the crafted URL forces Grafana to load an exterior malicious plugin hosted on an attacker’s server, enabling arbitrary code execution throughout the sufferer’s browser session.
The vulnerability particularly targets Grafana’s plugin loading mechanism on the /a/plugin-app/discover endpoint, the place attackers can inject malicious JavaScript modules.
The assault leverages a basic flaw in Grafana’s static file dealing with system, particularly throughout the pkg/api/static/static.go supply code.
OX Safety researchers reported that the ctx.Req.URL.Path parameter could be manipulated to attain an open redirect, permitting attackers to redirect customers to exterior malicious websites whereas sustaining the looks of respectable Grafana performance.
As soon as the malicious plugin executes, it might modify the sufferer’s account e mail tackle utilizing solely the grafana_session token, after which attackers can provoke password reset procedures to finish the account takeover.
Technical evaluation reveals that the flaw exploits path normalization weaknesses via a fastidiously crafted payload:
This string leverages the trail.Clear operate, the place /public/../ resolves to the foundation listing, whereas subsequent path traversal sequences allow redirection to attacker-controlled domains.
The payload construction /attacker.com creates a protocol-relative URL that inherits the present web page’s protocol, successfully bypassing browser safety restrictions.
Trendy browsers usually normalize such malicious paths, however Grafana’s client-side JavaScript routing logic offers an alternate assault vector.
By utilizing encoded path traversal sequences like /public/..%2f..%2f..%2f..%2fsomething, attackers can bypass browser normalization and set off the vulnerability via JavaScript execution.
This subtle approach demonstrates how a number of safety layers could be circumvented via artistic exploitation strategies.
The assault’s effectiveness extends past public-facing cases, as inner Grafana deployments stay equally weak.
Attackers can craft payloads focusing on regionally used domains and ports, making even air-gapped or network-segmented Grafana installations prone to blind assaults.
Rapid Patching Required
Organizations should instantly improve to patched Grafana variations to mitigate this important vulnerability.
Out there safety patches embrace variations 10.4.18+security-01, 11.2.9+security-01, 11.3.6+security-01, 11.4.4+security-01, 11.5.4+security-01, 11.6.1+security-01, and 12.0.0+security-01.
The vulnerability impacts a considerable portion of the estimated 128,000 Grafana cases recognized via Shodan searches.
A compromised Grafana administrator account offers attackers with full entry to inner metrics, dashboards, delicate operational information, and enterprise intelligence methods.
Moreover, attackers can lock out respectable customers, delete accounts, and trigger vital operational disruption by eradicating entry to important monitoring infrastructure.
Given Grafana’s widespread adoption in DevOps environments, this vulnerability poses substantial dangers to organizational safety and operational continuity, making speedy remediation important for all affected deployments.
Will the Password Supervisor Shut the Safety Hole Hackers Exploit => Test How
