🔴 CVE-2021-43798

Grafana instances are vulnerable to directory traversal attacks allowing unauthorized access to local files through crafted URLs. This affects internet-facing Grafana dashboards commonly exposed for monitoring and observability purposes. The vulnerability has been actively exploited in the wild.

← Back to Overview
HIGH_RISK
Risk Level
7.5
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2021-12-07

Added to CISA KEV: 2025-10-09 1402 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2021-43798 is a critical directory traversal vulnerability affecting self-hosted Grafana instances, which allows unauthorized remote attackers to read arbitrary files from the underlying server [1] [6].

Exploitation and Threat Actor Usage
  • Active Exploitation: The vulnerability has been subject to active exploitation since its disclosure in December 2021 [1]. Notably, it remains relevant years later; CISA added it to its Known Exploited Vulnerabilities (KEV) Catalog, and security researchers observed a sharp surge in exploitation attempts as recently as September 2025 [3] [2].
  • Threat Actors: While specific APT groups are not always explicitly attributed to every wave, the uniform patterns of exploitation suggest either a single operator using diverse infrastructure or multiple actors reusing the same exploit kits and target sets [2].
  • Campaigns: There is no widespread evidence linking this specific vulnerability to major ransomware campaigns; it is more frequently observed in broad, automated scanning and exploitation waves targeting vulnerable software ecosystems [2].
Attack Method and Requirements
  • Method: It is a directory traversal attack that exploits improper input validation, allowing an attacker to escape the application's intended directory and access sensitive files on the host system [1].
  • Requirements: The attack is performed over the network and does not require user interaction or authentication [1].
  • PoC Availability: Proof-of-concept (PoC) code was released publicly shortly after the vulnerability was disclosed in December 2021, which facilitated rapid exploitation [1]. Exploit modules, such as those in Metasploit, are also available [4].
Impact
  • Access: Successful exploitation allows an attacker to read arbitrary files on the server, such as configuration files (`grafana.ini`) or password files [1].
  • Consequences: While a default installation might not contain highly sensitive data, the leakage of configuration files can expose secrets like OAuth2 credentials or database connection strings, which can lead to further compromise of the environment [4].
Affected Versions and Mitigation
  • Affected Versions: Grafana versions v8.0.0-beta1 through v8.3.0 are vulnerable [1].
  • Status: Grafana Labs released an official security patch on December 7, 2021 [5]. Organizations running affected versions are urged to upgrade to a patched version immediately to mitigate the risk [3].

Sources

  1. Grafana Issues a Security Patch After an Exploit for CVE-2021-43798

    December 08, 2021. Prepared by Deepwatch Threat Intel Team. Key Points: After security researchers released proof-of-concept code to exploit the issue over the weekend, Grafana Labs issued an emergency security update today to patch a critical vulnerability in its flagship product self-hosted Grafan…

  2. Coordinated Grafana Exploitation Attempts on 28 September

    On 28 September 2025, GreyNoise observed a sharp one-day surge of exploitation attempts targeting CVE-2021-43798 — a Grafana path traversal ... ‍ Threat Context Exploitation of older, high-impact vulnerabilities like CVE-2021-43798 is common across different threat categories: Global Exploitation: G…

  3. Urgent Grafana CVE-2021-43798 KEV Alert Patch Now

    CISA has added a long-known Grafana directory traversal flaw — CVE-2021-43798 — to its Known Exploited Vulnerabilities (KEV) Catalog, signaling fresh evidence of active exploitation and placing renewed urgency on organizations that still run unpatched Grafana 8.x instances to act immediately... The…

  4. Assessing Potential Exploitation of Grafana's CVE-2021-43798 for ...

    Grafana released an official patch on December 7, 2021, just before the Log4Shell hysteria re-prioritized security teams' remediation efforts. ... Some public CVE-2021-43798 exploits have tried to demonstrate real impact. Metasploit, for example, uses CVE-2021-43798 to download the server’s grafana.

  5. Grafana path traversal · Advisory - GitHub

    Path Traversal (CVE-2021-43798). Summary. On 2021-12-03, we received a report that Grafana is vulnerable to directory traversal, allowing access ...

  6. CVE-2021-43798 Common Vulnerabilities and Exposures | SUSE

    Secure your Linux systems from CVE-2021-43798. Stay ahead of potential threats with the latest security updates from SUSE.Description. Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to direc…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed