At a glance: Critical privilege-escalation flaw in Grafana Enterprise (CVE-2025-41115) affects versions 12.0.0–12.2.1 when SCIM is enabled. No public PoC reported. Update to patched versions or disable SCIM to reduce risk. Field Effect MDR users will be alerted via ARO if vulnerable systems are detected.
On November 19, 2025, Grafana Labs patched a critical vulnerability in Grafana Enterprise affecting versions 12.0.0 through 12.2.1. The flaw, tracked as CVE-2025-41115, carries a maximum Common Vulnerability Scoring System (CVSS) score of 10.0.
CVE-2025-41115 enables privilege escalation and user impersonation when System for Cross-domain Identity Management (SCIM) provisioning is enabled. SCIM, introduced in Grafana Enterprise in April 2025, is an open standard protocol that automates how user identities are created, updated, and removed across IT systems. It is widely used to streamline identity lifecycle management between identity providers and applications.
The vulnerability occurs when both the `enableSCIM` feature flag and `user_sync_enabled` option are set to true. Under these conditions, a malicious or compromised SCIM client can provision a user with a numeric externalId that maps directly to an internal user ID. A threat actor could escalate privileges and impersonate internal users, including administrators.
Grafana Enterprise version 12.3, along with patched releases 12.2.1, 12.1.3, and 12.0.6, address the issue.
As of November 21, 2025, there is no indication of a public proof-of-concept exploit or evidence of exploitation.
Grafana Enterprise is widely deployed as a central observability hub, aggregating metrics, logs, and traces from cloud services, databases, and monitoring platforms. Successful exploitation could expose sensitive operational and business data contained in dashboards, including infrastructure performance, application telemetry, and analytics from integrated systems.
>The impact of this vulnerability could be significant: it allows threat actors to impersonate existing users, escalate privileges to administrator level, or create entirely new identities with elevated permissions. The worst-case scenario is complete compromise of Grafana Enterprise environments where SCIM provisioning is enabled. Exploitation does not require advanced techniques once SCIM is active, making it relatively straightforward under the right conditions. Enterprises and managed service providers that rely on Grafana Enterprise for monitoring and observability, particularly those integrating identity management systems via SCIM, are at heightened risk.
Mitigation involves upgrading Grafana Enterprise to the patched versions. Where immediate patching is not possible, disabling SCIM provisioning by turning off the `enableSCIM` feature flag or `user_sync_enabled` option is recommended. Reviewing SCIM configurations and monitoring for unusual provisioning activity could reduce risk.
Field Effect MDR users will be alerted via ARO if vulnerable systems are detected in their environment.