Telephone: 1-844-NETIZEN
Tel: 1-844-NETIZEN
Email: team (at) Netizen.net
slider

Netizen: Monday Security Brief (6/16/2024)

Posted on 16 Jun 2025 at https://www.Netizen.net/news Source Link: https://blog.netizen.net

Today’s Topics:

  • Over 46,000 Vulnerable Grafana Instances Still Awaiting Critical Patch
  • Anubis Ransomware Adds Destructive Wiper to Files, Making Recovery Impossible
  • How can Netizen help?

Over 46,000 Vulnerable Grafana Instances Still Awaiting Critical Patch

A critical security vulnerability has been identified in Grafana, a widely used open-source platform for monitoring and visualizing infrastructure and application metrics. The flaw, tracked as CVE-2025-4123, poses a significant risk to over 46,000 Grafana instances that remain exposed to account takeover attacks. Despite a security patch being released in May 2025, a substantial number of vulnerable instances have not yet been updated, leaving these systems at risk of malicious exploitation.

The vulnerability stems from a client-side open redirect issue within Grafana, which allows attackers to execute malicious plugins via manipulated URLs. Discovered by security researcher Alvaro Balada, the flaw enables attackers to leverage path traversal and open redirect techniques to load malicious plugins from a site under their control. When users click on specially crafted links, the exploit can trigger arbitrary JavaScript execution within the user’s browser.

This type of attack is particularly dangerous because it does not require elevated privileges or even authentication. Once exploited, attackers can hijack active user sessions, change account credentials, and, in some cases, carry out server-side request forgery (SSRF) attacks that allow unauthorized access to internal resources. Additionally, the vulnerability can be used to modify user email addresses, facilitating further account hijacking via password resets.

The flaw affects Grafana instances running versions prior to the fixed releases, and the attack requires user interaction — the victim must click on a malicious link while logged into Grafana. This makes the attack dependent on phishing or social engineering tactics to get users to click on the malicious link.

The security firm OX Security, which conducted an in-depth analysis of the vulnerability, found that more than 46,000 instances of Grafana remain exposed to this critical bug. The researchers estimate that approximately 36% of all internet-facing Grafana instances are still vulnerable. This widespread exposure highlights the scale of the problem and the urgent need for administrators to update their systems.

Grafana’s vulnerability is concerning because the exploit does not rely on sophisticated hacking techniques. Instead, attackers can exploit inconsistencies in the way Grafana handles URLs, bypassing modern browser security mechanisms. The default Content Security Policy (CSP) in Grafana provides some protection but is not enough to prevent exploitation due to limitations in client-side enforcement.

If left unpatched, CVE-2025-4123 could lead to severe consequences for organizations relying on Grafana for data monitoring. Account takeover is a major risk, as attackers can hijack user sessions and modify account details, which could lead to data loss, unauthorized access to sensitive information, and even service disruptions. The vulnerability also exposes Grafana instances to SSRF attacks, which could allow attackers to interact with internal systems and bypass network security controls.

Given the widespread nature of Grafana’s use in enterprise and cloud environments, the consequences of this vulnerability could be far-reaching. Attackers could exploit this flaw to target high-value data sources, internal networks, or even disrupt critical business operations.

To mitigate the risks posed by this vulnerability, it is crucial for Grafana administrators to upgrade to the latest patched versions. Grafana Labs released the following security updates on May 21, 2025:

  • Grafana 10.4.18+security-01
  • Grafana 11.2.9+security-01
  • Grafana 11.3.6+security-01
  • Grafana 11.4.4+security-01
  • Grafana 11.5.4+security-01
  • Grafana 11.6.1+security-01
  • Grafana 12.0.0+security-01

These updates address the critical flaw and provide the necessary patches to secure vulnerable systems. In addition to applying the patch, administrators are advised to review their system configurations to ensure that client-side vulnerabilities like this one are mitigated and that security best practices are in place.

Grafana users who have not yet updated their systems should prioritize patching as soon as possible to avoid falling victim to this exploit. It is also recommended to monitor Grafana instances for suspicious activity and consider implementing additional security measures such as two-factor authentication (2FA) and user access controls to further reduce the risk of exploitation.

Anubis Ransomware Adds Destructive Wiper to Files, Making Recovery Impossible

In a new development, Anubis ransomware has added a dangerous feature to its file-encrypting malware: a wiper module designed to permanently destroy files, making recovery impossible even if the ransom is paid. First observed in December 2024, Anubis ransomware has quickly gained traction, with the ransomware-as-a-service (RaaS) group offering an affiliate program that gives a significant cut to its partners.

The wiper module, which is activated using a command-line parameter (‘/WIPEMODE’), erases the contents of files, reducing them to 0 KB while keeping their names and file structure intact. This means that while the files remain visible in the directory, their contents are irreversibly destroyed. This addition is believed to increase pressure on victims to pay the ransom quickly, as recovery efforts are effectively thwarted.

Anubis is known for its sophistication, including the use of ECIES (Elliptic Curve Integrated Encryption Scheme) encryption, which appends the ‘.anubis’ extension to encrypted files. Although the system uses certain precautions to avoid making the system completely unusable, the ransomware removes volume shadow copies and terminates processes that could interfere with the encryption.

The added wiper feature is expected to escalate the already destructive nature of the attacks, making the consequences of a breach even more devastating for victims.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

News and Updates

Sign up to get the latest news and threat briefs:

Get in Touch

Telephone: 1-844-NETIZEN
Email: Team (at) Netizen.net
Office Locations:
Allentown, PA (Headquarters)
 Arlington, VA (DC Region)
 Charleston, SC (Southeast Region)

Connect With Us

    Facebook
    Twitter
    LinkedIn
    Instagram
    GitHub

Copyright © Netizen Corporation. All Rights Reserved.