CVE-2025-41115 — AI Deep Analysis Summary

🚨 **Essence**: Critical SCIM Privilege Escalation in Grafana Enterprise. <br>💥 **Consequences**: Attackers can impersonate users or escalate privileges to Admin level. CVSS Score: **10.0** (Critical).

🛡️ **Root Cause**: Improper handling of user identity in **SCIM configuration**.…

🏢 **Affected**: **Grafana Enterprise** versions **12.x**. <br>⚙️ **Component**: Specifically the **SCIM user-provisioning** feature when enabled.

👑 **Hacker Actions**: <br>1. **Identity Impersonation**: Act as any user. <br>2. **Privilege Escalation**: Gain Admin rights. <br>3. **Full Control**: Read/Modify/Delete all dashboards & data (C:H, I:H, A:H).

⚡ **Threshold**: **LOW**. <br>🔓 **Auth**: No authentication required (`PR:N`). <br>🌐 **Network**: Remote (`AV:N`). <br>🔧 **Config**: Requires `user_sync_enabled = true` in SCIM settings.

💣 **Public Exp**: **YES**. Multiple PoCs available on GitHub (e.g., `Blackash-CVE-2025-41115`). <br>🔥 **Wild Exploitation**: High risk due to simplicity of sending a numeric `externalId`.

🔍 **Self-Check**: <br>1. Check if running **Grafana Enterprise 12.x**. <br>2. Verify if **SCIM** is enabled. <br>3. Check config for `user_sync_enabled = true`. <br>4. Scan for SCIM endpoints accepting numeric IDs.

🩹 **Official Fix**: **YES**. Vendor advisory published on **2025-11-21**. <br>📥 **Action**: Update to the patched version immediately via Grafana Security Advisories.

🚧 **No Patch Workaround**: <br>1. **Disable SCIM** if not strictly needed. <br>2. Set `user_sync_enabled = false`. <br>3. Restrict SCIM client access via **Firewall/WAF** to trusted IPs only.

🔴 **Urgency**: **CRITICAL / IMMEDIATE**. <br>📢 **Priority**: Patch immediately. CVSS 10.0 + Public Exploits = High likelihood of active attacks. Do not wait.