Cyber Resilience

CVE-2025-11539

CriticalRCE

Published: 09 October 2025

Published
09 October 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0052 67.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11539 is a critical-severity Code Injection (CWE-94) vulnerability in Grafana Image Renderer (inferred from references). Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-11539 is a remote code execution vulnerability in Grafana Image Renderer, stemming from an arbitrary file write flaw in the /render/csv endpoint. The endpoint fails to validate the filePath parameter, enabling an attacker to save a malicious shared object to an arbitrary location on the filesystem. This object is subsequently loaded by the underlying Chromium process, leading to code execution. The issue affects versions of grafana-image-renderer from 1.0.0 through 4.0.16 and has a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), mapped to CWE-94 (Code Injection).

An attacker can exploit this vulnerability if they know or guess the authentication token—defaults to "authToken" if unchanged—and have network access to the image renderer endpoint. Exploitation requires low privileges (PR:L), with no user interaction needed. Successful attacks grant remote code execution on the host running the renderer, potentially allowing full system compromise due to the scope change (S:C) and high impacts on confidentiality, integrity, and availability.

Mitigation details are available in the Grafana security advisory at https://grafana.com/security/security-advisories/cve-2025-11539/ and the release notes for version 4.0.17 at https://github.com/grafana/grafana-image-renderer/releases/tag/v4.0.17, which addresses the validation flaw. Security practitioners should upgrade to grafana-image-renderer 4.0.17 or later and change the default authToken.

EU & UK References

Vulnerability details

Grafana Image Renderer is vulnerable to remote code execution due to an arbitrary file write vulnerability. This is due to the fact that the /render/csv endpoint lacked validation of the filePath parameter that allowed an attacker to save a shared…

more

object to an arbitrary location that is then loaded by the Chromium process. Instances are vulnerable if: 1. The default token ("authToken") is not changed, or is known to the attacker. 2. The attacker can reach the image renderer endpoint. This issue affects grafana-image-renderer: from 1.0.0 through 4.0.16.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables remote code execution through exploitation of a public-facing web endpoint (/render/csv) in Grafana Image Renderer, allowing arbitrary file writes of malicious shared objects loaded by Chromium, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-13773Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2026-30643Shared CWE-94
CVE-2026-30460Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2024-13792Shared CWE-94
CVE-2020-37052Shared CWE-94
CVE-2026-42555Shared CWE-94
CVE-2025-65037Shared CWE-94

Affected Assets

Grafana
Image Renderer
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely remediation of the arbitrary file write flaw through patching to grafana-image-renderer 4.0.17 or later.

prevent

Addresses the root cause by enforcing validation of the unvalidated filePath parameter in the /render/csv endpoint to block arbitrary file writes.

prevent

Prevents exploitation by requiring management and replacement of the default authToken, blocking unauthorized access to the vulnerable endpoint.

References