Over 46,000 internet-facing Grafana instances remain vulnerable to a client-side open redirect flaw, CVE-2025-4123, which can lead to account takeover and remote code execution. Despite security updates released by Grafana Labs, many instances are unpatched, exposing a significant attack surface for malicious actors. #GrafanaGhost #CVE-2025-4123
Keypoints
- Over one-third of publicly accessible Grafana instances are still vulnerable to CVE-2025-4123.
- The flaw allows attackers to hijack sessions, alter credentials, and perform SSRF attacks when the Image Renderer plugin is used.
- The vulnerability can be exploited through a combination of client-side path traversal and open redirect mechanics.
- Exploit execution does not require elevated privileges or authentication, increasing the risk of widespread attacks.
- Upgrading to specific Grafana versions is recommended to mitigate the vulnerabilityβs risks.