Full Report
June has been a turbulent month for cyber defenders, marked by a surge of high-profile vulnerabilities shaking the security landscape. Following the exploitation of SimpleRMM flaws by the DragonForce ransomware group and the active use of the CVE-2025-33053 WebDAV zero-day by the Stealth Falcon APT, researchers have now identified yet another critical threat. A newly […] The post CVE-2025-4123 Vulnerability: “The Grafana Ghost” Zero-Day Enables Malicious Account Hijacking appeared first on SOC Prime.
Analysis Summary
# Vulnerability: Grafana Ghost Zero-Day Enables Malicious Account Hijacking
## CVE Details
- CVE ID: CVE-2025-4123
- CVSS Score: Information not explicitly provided, implied High due to account hijacking potential.
- CWE: Not explicitly provided.
## Affected Systems
- Products: Grafana
- Versions: Prior to 10.4.18+security-01, 11.2.9+security-01, or 12.0.0+security-01.
- Configurations: Exploitation potentially leverages active user sessions and requires a specific plugin feature to be enabled (which is the default).
## Vulnerability Description
This vulnerability, dubbed "The Grafana Ghost," is a zero-day that allows for malicious account hijacking. It is reported to bypass browser normalization through JavaScript routing native to Grafana. A successful exploit can grant an attacker access to internal dashboards, operational data (including logs and business insights), allowing them to lock out users, delete accounts, or hijack assigned roles.
## Exploitation
- Status: Zero-Day (implies active threat, but specific exploitation status in the wild is not detailed beyond the discovery).
- Complexity: Requires user interaction, an active session, and the relevant plugin feature enabled.
- Attack Vector: Client-side via browser routing manipulation.
## Impact
- Confidentiality: High (Access to dashboards, logs, and business insights).
- Integrity: High (Ability to delete accounts, hijack roles).
- Availability: Potential loss of visibility into key systems due to monitoring failure.
## Remediation
### Patches
Administrators are strongly advised to update to patched versions:
* 10.4.18+security-01 or later
* 11.2.9+security-01 or later
* 12.0.0+security-01 or later
(Reference commit: `github.com/grafana/grafana/commit/c7a690348df761d41b659224cbc50a46a0c0e4cc`)
### Workarounds
No specific official workarounds are detailed in the provided text, other than updating to the patched versions.
## Detection
- Indicators of compromise (IoCs) are not explicitly listed.
- Detection methods should focus on monitoring for: unauthorized session activity, changes to user roles/accounts, and unusual network activity directed at Grafana endpoints, especially focusing on the JavaScript routing mechanisms.
## References
- Vendor advisories: Implicitly referenced via the commit link provided for patching.
- Relevant links:
* Patch Commit: `github.com/grafana/grafana/commit/c7a690348df761d41b659224cbc50a46a0c0e4cc`
* Original Article Source: `socprime.com/blog/cve-2025-4123-vulnerability-in-grafana/` (Full paths defanged)