Security researchers have urged DevOps teams to patch a high-severity flaw in popular tool Grafana that could be putting them at risk of account takeover attacks.
Ox Security warned on Sunday that CVE-2025-4123 impacts 36% of public-facing Grafana instances – or over 46,000 worldwide – as well as countless Grafana servers not connected to the internet.
Open source analytics and visualization platform Grafana is used by DevOps engineers, sysadmins and developers to help them monitor system performance and infrastructure.
The vulnerability in question, dubbed “the Grafana Ghost,” was discovered and patched back in May.
According to a description in the National Vulnerability Database (NVD), it’s a cross-site scripting (XSS) bug caused by combining a client path traversal and open redirect.
“This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work,” it added.
“If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF.”
Ox Security explained that the vulnerability is compromised of a chain of exploits that starts with a malicious link sent to the victim.
“When clicked, the link makes Grafana use an external malicious plugin hosted on the attacker’s server,” the security vendor continued.
“This malicious plugin is capable of running any code on behalf of the user. In our particular case, the code running leads to changing the victim’s Grafana username and login email to values controlled by the attacker or can redirect to internal services. Once the email is changed, the attacker can use it to reset the victim’s password and gain access to their Grafana account.”
Read more on DevOps risks: Cryptojacking Campaign Targets DevOps Servers Including Nomad
By compromising a Grafana account, hackers could gain access to a victim organization’s sensitive operational data and business intelligence, the vendor warned. By locking out legitimate users, they could also cause major operational issues, if IT teams lose visibility into critical systems, it added.
“While talking about a high percentage of publicly available Grafana servers, the vulnerability also affects Grafana instances running locally by crafting a payload that takes advantage of the locally used domain name and port for the local service,” Ox Security said.
Image credit: T. Schneider / Shutterstock.com
No tags.
