June has been a turbulent month for cyber defenders, marked by a surge of high-profile vulnerabilities shaking the security landscape. Following the exploitation of SimpleRMM flaws by the DragonForce ransomware group and the active use of the CVE-2025-33053 WebDAV zero-day by the Stealth Falcon APT, researchers have now identified yet another critical threat.
A newly patched zero-day vulnerability in Grafana, the widely used open-source analytics platform, is raising serious security concerns. This high-severity cross-site scripting (XSS) flaw (CVE-2025-4123) allows attackers to run malicious plugins and take over user accounts without needing elevated privileges. Despite the availability of a fix, over 46,500 instances are still running vulnerable versions, leaving them open to potential exploitation.
The critical flaw in Grafana is a stark reminder of an increasing number of vulnerabilities affecting open-source software. According to the 2025 Open Source Security and Risk Analysis (OSSRA) report, 86% of applications analyzed contained vulnerable open-source components, with 81% harboring high or critical-risk vulnerabilities. These numbers underscore the need to be always on guard of the novel vulnerabilities so security professionals require relevant detection content and advanced tools to detect threats on time.
Sign up for the SOC Prime Platform to access the global active threats feed, which offers real-time cyber threat intelligence and curated detection algorithms to address emerging threats. All the rules are compatible with multiple SIEM, EDR, and Data Lake formats and mapped to the MITRE ATT&CK® framework. Additionally, each rule is enriched with CTI links, attack timelines, audit configurations, triage recommendations, and more relevant context. Press the Explore Detections button to see the entire detection stack for proactive defense against critical vulnerabilities filtered by the “CVE” tag.
Security engineers can also leverage Uncoder AI—a private, non-agentic AI purpose-built for threat-informed detection engineering. With Uncoder, defenders can automatically convert IOCs into actionable hunting queries, craft detection rules from raw threat reports, enable ATT&CK tags prediction, leverage AI-driven query optimization, and translate detection content across multiple platforms.
CVE-2025-4123 Analysis
OX Security’s findings illustrate that 36% of public-facing Grafana instances are currently vulnerable to a client-side open redirect flaw that could lead to malicious plugin execution and account takeover, with many more systems likely affected within segmented networks or behind firewalls. Even internal Grafana deployments, not directly connected to the internet, remain at risk due to the possibility of blind attacks exploiting the same underlying vulnerability.
Tracked as CVE-2025-4123, this zero-day XSS vulnerability affects several versions of the popular open-source monitoring and visualization platform. The flaw, also dubbed “The Grafana Ghost,” was discovered in May and patched by Grafana Labs in the vendor’s security updates released on May 21. Even internal Grafana deployments not directly connected to the Internet remain at risk due to the possibility of blind attacks exploiting the same underlying vulnerability.
While Grafana’s default Content Security Policy (CSP) offers some defense, it falls short due to the limitations of client-side enforcement. The vulnerability involves a chain of exploits that begins when a victim clicks a specially crafted malicious link. This weaponized URL prompts Grafana to load a rogue plugin from an adversary server. Once loaded, the plugin can execute arbitrary code as the user, such as changing the victim’s Grafana username and login email to attacker-controlled values or redirecting them to internal services. With the email changed, the attacker can initiate a password reset and take full control of the victim’s account.
OX Security’s researchers used a live PoC exploit to successfully demonstrate account takeover on local Grafana setups, proving the flaw is both exploitable and easily weaponized. The threat extends to local Grafana instances as well. As shown in the PoC code, the vulnerability can be triggered entirely from the client side, bypassing browser normalization through JavaScript routing native to Grafana.
Compromising a Grafana Admin Account can give attackers the green light to gain access to internal dashboards and operational data, including logs and business insights, to lock out users, delete accounts, or hijack roles. In addition, successful CVE-2025-4123 exploitation attempts could also potentially lead to monitoring failure, resulting in loss of visibility into key systems.
Although successful exploitation depends on specific conditions, like user interaction, an active session, and the plugin feature being enabled (which it is by default), the lack of authentication requirements and the high number of exposed instances significantly expand the threat surface.
As potential CVE-2025-4123 mitigation measures, Grafana administrators are strongly advised to update to one of the patched versions, including 10.4.18+security-01, 11.2.9+security-01 or later, or 12.0.0+security-01.
With 46,000+ exposed Grafana instances identified via Shodan, CVE-2025-4123 presents a significant threat to organizations running impacted versions, which demands swift and proactive defense strategies to reduce the risk of intrusions. SOC Prime Platform curates a complete product suite backed by AI, automation capabilities, real-time CTI, and built on zero-trust principles to empower organizations across the world to act faster than attackers.
The post CVE-2025-4123 Vulnerability: “The Grafana Ghost” Zero-Day Enables Malicious Account Hijacking appeared first on SOC Prime.
