More than 46,000 internet-facing Grafana instances remain unpatched and exposed to a client-side open redirect vulnerability that allows executing a malicious plugin and account takeover.
The flaw is tracked as CVE-2025-4123 and impacts multiple versions of the open-source platform used for monitoring and visualizing infrastructure and application metrics.
The vulnerability was discovered by bug bounty hunter Alvaro Balada and was addressed in security updates that Grafana Labs released on May 21.
However, as of writing this, more than a third of all Grafana instances reachable over the public internet have not been patched, according to researchers at aplication security company OX Security, who refer to the bug as ‘The Grafana Ghost’.
The analysts told BleepingComputer that their work focused on demonstrating the ability to weaponize Balada's finding.
After identifying versions vulnerable to the attack, they assesed the exposure by correlating the data with the platform's distribution across the ecosystem.
They found 128,864 instances exposed online, with 46,506 still running vulnerable versions that can still be exploited. This corresponds to a percentage of about 36%.
Vulnerable Grafana endpoints
Source: BleepingComputer
OX Security’s in-depth analysis of CVE-2025-4123 uncovered that, through a series of exploitation steps combining client-side path traversal with open redirect mechanics, attackers can lure victims into clicking URLs that lead to loading a malicious Grafana plugin from a site controlled by the threat actor.
... continue reading