CVE-2025-41115 is a critical security vulnerability discovered in Grafana Enterprise version 12.0.0, specifically affecting the SCIM (System for Cross-domain Identity Management) provisioning feature introduced to automate user lifecycle management. The vulnerability arises from improper handling of user identity when provisioning users via SCIM. If the 'enableSCIM' feature flag is set to true and the 'user_sync_enabled' configuration option under the '[auth.scim]' block is also enabled, a malicious or compromised SCIM client can supply a numeric externalId for a user. This numeric externalId can override internal user IDs within Grafana, which are typically used to uniquely identify users internally. By exploiting this flaw, an attacker can impersonate other users or escalate privileges within the Grafana environment, potentially gaining unauthorized administrative access or access to sensitive dashboards and data. The vulnerability does not require prior authentication or user interaction, making it remotely exploitable over the network. The CVSS v3.1 base score is 10.0, reflecting the highest severity with network attack vector, low attack complexity, no privileges required, no user interaction, and complete impact on confidentiality, integrity, and availability. The underlying weakness corresponds to CWE-266 (Incorrect Privilege Assignment). Although no public exploits have been reported yet, the critical nature of the flaw demands immediate attention. This vulnerability affects only Grafana Enterprise version 12.0.0 with SCIM provisioning enabled and configured as described. No patches or mitigations were listed at the time of publication, emphasizing the need for vendor updates and configuration audits.

The impact of CVE-2025-41115 is severe for organizations using Grafana Enterprise with SCIM provisioning enabled. Exploitation allows attackers to impersonate legitimate users or escalate privileges, potentially gaining administrative control over Grafana instances. This can lead to unauthorized access to sensitive monitoring dashboards, metrics, and operational data, compromising confidentiality. Integrity is at risk as attackers could modify dashboards, data sources, or alerting rules, potentially disrupting monitoring and incident response. Availability could also be affected if attackers disable or alter critical monitoring functions. Since Grafana is widely used for infrastructure and application monitoring, a successful attack could blind security teams to ongoing incidents or cause operational disruptions. The vulnerability’s remote exploitability without authentication or user interaction increases the risk of widespread attacks. Organizations relying on Grafana for critical observability and security monitoring face heightened risk of data breaches, operational downtime, and compliance violations.

To mitigate CVE-2025-41115, organizations should immediately audit their Grafana Enterprise deployments to determine if SCIM provisioning is enabled and configured with 'enableSCIM' set to true and 'user_sync_enabled' enabled under '[auth.scim]'. If SCIM provisioning is not essential, consider disabling it until a vendor patch is available. If SCIM provisioning is required, restrict SCIM client access to trusted sources only and implement network-level controls such as IP whitelisting and mutual TLS authentication to prevent unauthorized SCIM client connections. Monitor Grafana logs for unusual SCIM provisioning activity, especially attempts to provision users with numeric externalIds. Apply the vendor-provided patch or update to a fixed Grafana version as soon as it is released. Additionally, implement strong role-based access controls within Grafana to limit the impact of potential privilege escalations. Regularly review user accounts and permissions for anomalies. Employ defense-in-depth by integrating Grafana with centralized identity providers that enforce multi-factor authentication and anomaly detection. Finally, maintain up-to-date backups of Grafana configurations and dashboards to enable rapid recovery if compromise occurs.