# How I Found “CVE-2025–4123” in Grafana Using FOFA (and Got a Bounty

بسم الله والصلاة والسلام على نبينا المجاهد الشهيد

Hello Hunters! I’m Abdelrahman (A0xtrojan), and I’m excited to share my write-up with you, found in a private program on in intigriti. So, without wasting time, let’s dive right in.

<figure><img src="https://miro.medium.com/v2/resize:fit:1050/0*xnkzVSCGlKCb8UkW.jpg" alt="" height="604" width="700"><figcaption></figcaption></figure>

One day while researching on FOFA, I came across a newly published CVE affecting Grafana: **CVE-2025–4123**. The issue chains a client-side **Path Traversal** with an **Open Redirect**, enabling **stored XSS** — and in certain configurations (for example, when the Image Renderer plugin is present) the chain can escalate to **SSRF**.

<figure><img src="https://miro.medium.com/v2/resize:fit:840/0*JGXF0RO_iGHx180I.jpg" alt="" height="336" width="560"><figcaption></figcaption></figure>

References\
[https://nightbloodz.github.io/grafana-CVE-2025-4123/](https://www.linkedin.com/safety/go?url=https%3A%2F%2Fnightbloodz.github.io%2Fgrafana-CVE-2025-4123%2F\&trk=flagship-messaging-web\&messageThreadUrn=urn%3Ali%3AmessagingThread%3A2-MTEzOGM3NjUtYWNkOC00MDNjLTgzNjUtMGYwMTgyYTFmNTNlXzEwMA%3D%3D)

Then I went to FOFA and ran my query to hunt for that Grafana instance:

```
domain="example.com" && icon_hash="2123863676" 
OR
Host="example.com" && icon_hash="2123863676"
```

This query looks for hosts under `example.com` that use the specific Grafana icon hash `2123863676`, helping me quickly locate potentially vulnerable panels.

Press enter or click to view image in full size

<figure><img src="https://miro.medium.com/v2/resize:fit:1050/1*Xs5OLbI3zbiKBWxuLxIwvg.png" alt="" height="203" width="700"><figcaption></figcaption></figure>

I navigated to one of the Grafana dashboards returned by my FOFA query and manually tested the panel.

Press enter or click to view image in full size

<figure><img src="https://miro.medium.com/v2/resize:fit:1050/1*syzF5FAvWGE0_JxxSGAmvA.png" alt="" height="376" width="700"><figcaption></figcaption></figure>

<figure><img src="https://miro.medium.com/v2/resize:fit:720/0*kOvSTQ3yE3_ScAm9.jpg" alt="" height="480" width="480"><figcaption></figcaption></figure>

First, I injected the following path into the vulnerable panel:

```
/public/..%2F%5coast.pro%2F%3f%2F..%2F..
```

<figure><img src="https://miro.medium.com/v2/resize:fit:1050/1*HPyFUebzjB3eB8HQeywnLA.png" alt="" height="398" width="700"><figcaption></figcaption></figure>

This encoded payload performs a client-side path traversal and redirects to `oast.pro`, allowing me to store the malicious input in the dashboard and confirm the reflected/stored behaviour.

<figure><img src="https://miro.medium.com/v2/resize:fit:1050/1*SmN8Uuzh3XPUbCY_rCfKHg.png" alt="" height="393" width="700"><figcaption></figcaption></figure>

I attempted to escalate the chain into a higher-impact exploit (stored XSS / SSRF), but in my tests it only reliably resulted in an open redirect.

I responsibly disclosed the finding and received a bounty for the report.Alhamdulillah €€

Press enter or click to view image in full size

<figure><img src="https://miro.medium.com/v2/resize:fit:1050/1*xva3WS0wdamz65t9uFvuSQ.jpeg" alt="" height="187" width="700"><figcaption></figcaption></figure>

> Excited to announce that Khoof will soon be sharing alternative approaches to CVE discovery and vulnerability research best practices.

<figure><img src="https://miro.medium.com/v2/resize:fit:1050/1*hJA5eQGejkkspRCjNrpRLQ.png" alt="" height="394" width="700"><figcaption></figcaption></figure>

[LinkedIn](https://www.linkedin.com/in/abdelrahman-tamer-6a932924a/) | [X](https://x.com/A0xTrojan) | [Youtube](https://www.youtube.com/channel/UC7smGv7AAcXMY5rrCpP5t8A) | [Facebook](https://www.facebook.com/abdo.tamer.313)

Follow me on Social Media :

Thank you for you time reading my writeup and i will publish the next Vulnerability soon :) and hope from you to share, like and support my Writeups :) stay safe

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://get-bountyordie.gitbook.io/get-bountyordie-docs/our-write-ups/web-pentest-write-ups/how-i-found-cve-2025-4123-in-grafana-using-fofa-and-got-a-bounty.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.