Urgent Grafana CVE-2021-43798 KEV Alert Patch Now

CISA has added a long-known Grafana directory traversal flaw — CVE-2021-43798 — to its Known Exploited Vulnerabilities (KEV) Catalog, signaling fresh evidence of active exploitation and placing renewed urgency on organizations that still run unpatched Grafana 8.x instances to act immediately.

Overview​

The addition of CVE-2021-43798 to CISA’s KEV catalog elevates a previously disclosed Grafana path traversal vulnerability into the prioritized remediation queue for federal civilian agencies and should raise alarm across private sector operations that host self-managed Grafana instances. The vulnerability, originally disclosed and patched in late 2021, affects Grafana versions 8.0.0-beta1 through 8.3.0, and allows an unauthenticated attacker to craft specially formed requests to the /public/plugins/* path to read arbitrary local files from the Grafana host. Vendor advisories and national vulnerability databases list specific patched releases (8.0.7, 8.1.8, 8.2.7 and 8.3.1) and provide mitigation guidance; the KEV listing indicates that threat actors are actively exploiting this vector again in the wild.
This development is important for two reasons. First, adding a CVE to the KEV catalog is a public confirmation that CISA has seen reliable evidence of exploitation. Second, the KEV designation triggers mandatory remediation timelines for Federal Civilian Executive Branch (FCEB) agencies under BOD 22-01 and serves as a high-priority signal to private sector defenders to treat the vulnerability as an immediate operational risk.

---

Background: BOD 22-01 and the KEV Catalog​

Binding Operational Directive 22-01 (BOD 22-01) established the KEV catalog as a living list of vulnerabilities that are being exploited in the wild and therefore present significant operational risk to the federal enterprise. The directive requires federal civilian agencies to remediate cataloged vulnerabilities according to timelines set by CISA. In practical terms:

• Agencies must remediate vulnerabilities with CVE IDs assigned prior to 2021 within six months, by default.
• For all other vulnerabilities (CVE years 2021 and later), the default remediation window is two weeks, unless CISA sets a different timeframe because of observed risk.
• The KEV catalog requires that a vulnerability has (1) a CVE identifier, (2) clear remediation guidance (such as a vendor-supplied patch), and (3) reliable evidence of active exploitation.

While BOD 22-01 applies directly to FCEB agencies, CISA explicitly encourages private organizations and critical infrastructure operators to use the KEV catalog to prioritize patching. For defenders, KEV listings act as a triage signal: if a vulnerability is being exploited at scale, remediating it returns much higher security value than chasing scores in isolation.

---

What CVE-2021-43798 Is — Technical summary​

Attack class: Directory traversal (path traversal) leading to arbitrary local file read.
Affected software: Grafana open-source platform — versions 8.0.0-beta1 through 8.3.0 (unpatched). Grafana Cloud and managed Grafana offerings were reported as not vulnerable during the original disclosure.
Vulnerable endpoint: Requests to the plugin asset path — the URL pattern /public/plugins/<plugin-id>/ — were not sufficiently normalized, allowing crafted input with traversal sequences (for example, "../") to pull files from the host file system that should be inaccessible.
Impact: Confidentiality breach — disclosure of configuration files, API tokens, database credentials, and other secrets stored on the Grafana host. While this vulnerability does not itself allow remote command execution, the disclosure of credentials or tokens can facilitate lateral movement, privilege escalation, access to telemetry backends, or further chain exploits.
Severity: High (CVSS 3.x ~ 7.5). Multiple vulnerability tracking databases and the vendor’s security advisory assigned a high severity rating and recommended immediate patching.
Patched versions: Upgrade to 8.0.7, 8.1.8, 8.2.7, or 8.3.1 (or later) to remediate the flaw. If patching immediately is not possible, deploy mitigations such as a reverse proxy that normalizes request paths or limit external access to the Grafana instance.

---

Why this matters now — analysis of the KEV addition​

• Active exploitation confirmed: The KEV designation is not a rehash of older advisories — it reflects that CISA has gathered evidence the vulnerability is being abused in operational attacks. That means entities with still-unpatched installations face immediate exposure.
• Old vulnerabilities remain dangerous: CVE-2021-43798 is a nearly four-year-old CVE; its presence in KEV underlines a persistent problem — older, previously patched flaws keep surfacing in exploit campaigns because large pools of unattended or unpatched systems remain online. Attackers frequently weaponize ancient but effective bugs because the "low-hanging fruit" of poorly maintained infrastructure is plentiful.
• Automation and opportunism increase impact: Directory traversal issues are trivial to scan for and to exploit at scale using automated tooling. Once a proof-of-concept becomes public, opportunistic threat actors and scanning bots proliferate the attack pattern rapidly. That creates a narrow window where defenders must act before the noise overwhelms detection.
• Potential for credential harvest and chaining: A file-read flaw like this is an enabler rather than a final-stage payload. Sensitive files (for example, Grafana.ini, database credentials, cloud API keys) can be harvested and then used to pivot to other assets or escalate privileges. Attack campaigns that chain such an information disclosure into ransomware or data exfiltration are common.
• Managed services nuance: Grafana Cloud and some managed offerings were not vulnerable at the time of initial disclosure; the KEV listing mostly affects self-hosted installs. Organizations using managed Grafana should still confirm vendor statements and ensure tenant-level configuration or third-party integrations aren’t introducing risk.

---

Who is at risk​

• Organizations running self-hosted Grafana instances in the vulnerable version ranges and exposing the Grafana HTTP interface to untrusted networks.
• Industrial, utilities, and operations technology (OT) environments that have integrated monitoring stacks and may not prioritize frequent patching.
• Development and staging environments that contain credentials or copies of production configuration.
• Containers and virtual machines built from older Grafana images in private registries or CI/CD pipelines where images are not refreshed.
• Cloud deployments where Grafana was deployed manually and not part of managed Grafana offerings.

Note: Managed Grafana/hosted Grafana-as-a-service customers should verify vendor communications, but the major managed providers confirmed they were not affected during the original disclosure.

---

Detection and hunting guidance​

Short-term detection can help determine whether an instance has been probed or compromised. Suggested hunting steps:

• Search web server logs (Nginx, Apache, IIS, Caddy, etc.) and Grafana access logs for requests to paths like:
• /public/plugins/
• Requests containing "../" or encoded traversal sequences such as "%2e%2e%2f"
• Requests that include file names that would be outside the plugin path (for example, attempts to access /etc/passwd, /proc/self/environ, or Windows system files)
• Look for anomalous 200 responses to unexpected resource paths that previously returned 404, or for responses containing file contents (e.g., configuration directives, credentials).
• Run targeted vulnerability scans with modern scanners and authenticated checks to confirm Grafana version and whether the plugin path normalization is enforced.
• Inspect process inventories and container images for Grafana versions; search artifact registries and CI/CD pipelines for outdated Grafana images.
• Check SIEM and EDR telemetry for follow-on activity such as use of harvested credentials to call back to telemetry databases or cloud services.
• Identify signs of lateral movement or data exfiltration following any suspicious file-read activity.

Be cautious: logs may have been cleared on compromised hosts. If there’s evidence of exploitation, assume compromise and proceed to incident response.

---

Immediate mitigation checklist for admins​

If you maintain Grafana instances, follow this prioritized, pragmatic remediation plan:

• Confirm version and exposure.
• Determine the exact Grafana version in use on every host (web UI footer, package management, installed binary).
• Identify which instances are internet-accessible and which are internal-only.
• Patch first, then harden.
• Upgrade immediately to the appropriate patched release (8.0.7, 8.1.8, 8.2.7, 8.3.1 or later).
• If you cannot patch immediately, restrict access to Grafana by network controls (VPN, IP allow-lists), or place a reverse proxy that normalizes PATH and rejects traversal sequences.
• Apply reverse proxy / WAF mitigations.
• Configure your front-end proxy (Nginx, Apache, IIS ARR, Envoy) to normalize request paths and block sequences that indicate directory traversal.
• Add a WAF rule to block requests to /public/plugins/ that contain "../" or encoded traversal characters.
• Reduce attack surface.
• Remove or disable unnecessary plugins and unused APIs.
• Ensure Grafana runs with least privilege and does not store high-value long-lived secrets on disk where possible.
• Rotate credentials and secrets.
• If you suspect compromise or unexplained file reads, rotate Grafana API tokens, datasource credentials, and any service-account keys found on the Grafana host.
• Scan and inventory.
• Use vulnerability management tooling to scan for Grafana instances on your networks, including containers and VMs in cloud accounts.
• Update asset inventories and ensure Grafana instances are tracked for future patch cycles.
• Monitor and escalate.
• Monitor for exploit indicators listed above.
• If exploitation is detected, follow incident response procedures, capture forensic evidence, and consider involving external incident response resources.

---

Practical steps for Windows administrators​

Many Windows-centric teams deploy Grafana on Windows servers, virtual machines, or containers. Practical Windows-focused steps:

• Determine Grafana version:
• Query the installed application or check the Grafana web UI footer.
• If Grafana runs as a Windows service, inspect the service binary path and version metadata.
• Upgrade on Windows:
• Stop the Grafana service, replace binary or package with the patched installer/zip, update configuration as needed, then restart. Follow vendor upgrade notes to avoid breaking dashboards.
• Use IIS or a Windows reverse proxy:
• If using IIS/ARR as a reverse proxy, configure URL rewrite rules that deny requests with traversal sequences to /public/plugins/.
• Ensure HTTP.sys and application-layer normalization are enabled where applicable.
• Tighten firewall rules:
• Restrict external access to Grafana ports at the Windows Firewall or perimeter firewall level; allow only known management IP ranges.
• Check credential stores:
• If Grafana uses Windows credential stores or is pointed at Windows-hosted databases, rotate those credentials if compromise is suspected.
• Audit scheduled tasks, startup scripts, and installed services for persistence mechanisms that could indicate post-exploitation.

---

Risk analysis: strengths and residual risks​

Strengths introduced by this KEV addition:

• Prioritization clarity: The KEV listing gives organizations a clear signal to prioritize remediation above lower-risk CVEs, aiding scarce patching resources.
• Clear remediation path: Grafana issued fixed releases and practical mitigations (reverse proxy normalization), meaning defenders have prescriptive, actionable steps.
• Detection opportunity: Directory traversal exploitation often leaves clear, detectable artifacts in web logs, enabling defenders to find attempted exploitation rapidly.

Residual risks and limitations:

• Long tail of unpatched instances: Many environments still run outdated applications or frozen images; the KEV listing will only reduce risk if organizations actively patch or mitigate.
• Credential harvest fallout: A file-read vulnerability can be a stealthy enabler for later, more damaging attacks (credential reuse, lateral movement). Remediating Grafana does not automatically neutralize prior credential theft unless secrets are rotated.
• Supply-chain and pipeline exposures: Grafana running inside container images pushed to registries or baked into VM images can persist beyond a single host patch unless build pipelines are updated.
• Detection gaps: Environments that centralize logs poorly or have log retention gaps may lose critical evidence of abuse. Attackers can act quietly once secrets are obtained.
• Scope of evidence: CISA’s KEV addition confirms exploitation but typically does not publish the full scope, methodology, or actor attribution in the public notice. The absence of public attribution means defenders must assume worst-case impact until more is known.

Caveat: while vendor advisories and vulnerability databases describe the technical mechanics and patched releases, the public record may not detail the exact exploit chains observed in recent campaigns. Organizations should treat the KEV addition as an operational urgent priority and assume exploitation is ongoing until proven otherwise.

---

Long-term recommendations for resilience​

Moving beyond immediate remediation, organizations should harden their telemetry and vulnerability posture to reduce similar exposure windows in the future:

• Maintain an accurate, automated asset inventory that includes container images, snapshots, and ephemeral infrastructure.
• Integrate KEV feeds and threat intelligence into vulnerability management tools and change windows to accelerate prioritized patching.
• Use automated image rebuilds and pipeline gating to ensure base images are refreshed after critical security patches.
• Adopt secrets management: remove long-lived credentials from application configuration. Use short-lived tokens and cloud-native identity where feasible.
• Harden logging and retention: keep application and proxy logs for a timeframe consistent with threat detection policies; centralize them in a tamper-resistant store.
• Conduct periodic tabletop exercises that simulate credential-harvest chains to stress-test detection and response.
• Apply segmentation: monitoring platforms like Grafana should be accessible only to necessary users and systems, not broadly exposed.

---

Conclusion​

The KEV catalog addition of CVE-2021-43798 is a blunt reminder that time does not sterilize risk. A path traversal bug disclosed and patched years ago has re-emerged as an active operational threat, underscoring systemic issues in patching, asset management, and detection across many organizations. For administrators running self-hosted Grafana, the path forward is clear and urgent: identify all instances, apply the vendor-published patches or deploy compensating controls, rotate exposed credentials, and hunt your logs for signs of compromise.
CISA’s action is intended to concentrate attention and resources where exploitation is demonstrably happening. Treat KEV entries as active threat triggers and prioritize them in operational vulnerability programs — the cost of inaction is not just a patch backlog, but potentially a chain that leads from a simple file read to a full-blown intrusion.

---

Source: CISA CISA Adds One Known Exploited Vulnerability to Catalog | CISA