Share
## https://sploitus.com/exploit?id=2C1CCA2E-E967-59E9-95D3-CDA5FB2FC922
# Grafana SCIMalform (CVE-2025-41115)





### Overview

This repo is my research on CVE-2025-41115 vulnerability in Grafana Enterprise SCIM component. It consist of a test stand with vulnerable app and exploit code.

### References

Just some usefull refs:
- [NIST](https://nvd.nist.gov/vuln/detail/CVE-2025-41115) - NIST index
- [Grafana Article](https://grafana.com/blog/2025/11/19/grafana-enterprise-security-update-critical-severity-security-fix-for-cve-2025-41115/) - Original blog post
- [Gitlab](https://advisories.gitlab.com/pkg/golang/github.com/grafana/grafana/CVE-2025-41115/) - GitLab advisory
- [Securityvulnerability.io](https://securityvulnerability.io/vulnerability/CVE-2025-41115) - Vuln page on `secirutvulnerability.io` 

## Root cause

SCIM provisioning works for Grafana Enterprise and Grafana Cloud only.

In Grafana versions 12.x+, where SCIM provisioning is configured, a security flaw in user identity management. This can potentially allow for the overriding of internal user IDs, leading to impersonation or privilege escalation.

The bug exists only if this configured:
- `enableSCIM` feature flag is set.
- `user_sync_enabled` is set.

Look at [this commit](https://github.com/grafana/grafana/commit/ca5d89812015ef2db3acc62826f73650450b331e) to see the fixes applied. It adds an extra checks preventing the id collisions.

If you want to dig deeper into the SCIM security flaws, I strongly recommend you [this article](https://blog.doyensec.com/2025/05/08/scim-hunting.html) from Doyensec. It describes the concept of SCIM and guides you thought typical security issues.

## Stand

The stand requires a valid Grafana Enterprise license key. Without it, the SCIM enabling config values will be ignored. Past you key to `./stand/license.jwt`.

After this, just run:
```bash
docker compose up -d
```
This will pull and spin up a vulnerable Grafana.

After grafana starts, run the `./stand/init.sh`. This will create a service account and get a token for it. It will print the token.

## Exploitation

Just past the token to `./exploit/resource/config.toml`. Change the config values if needed.

After just run the:
```bash
cd exploit
uv run src/main.py
```

Happy pwning!

## Creds

prod by _I3r1h0n_.