What happened

CISA added CVE-2021-43798 (Grafana path traversal) to the Known Exploited Vulnerabilities (KEV) Catalog, signaling confirmed in-the-wild exploitation and mandating federal remediation under BOD 22-01 CISA KEV. The KEV entry lists the vulnerability as allowing access to local files and requires agencies to apply vendor mitigations, follow applicable BOD 22-01 cloud guidance, or discontinue use if mitigations are unavailable CISA KEV. Per the KEV listing, date added is 2025-10-09 with a remediation due date of 2025-10-30 for covered entities CISA KEV.

NVD tracks this issue as a path (directory) traversal flaw in Grafana, enabling attackers to read files on the server through crafted paths that escape intended directories NVD CVE-2021-43798. The weakness maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, a.k.a. Path Traversal) in the standardized taxonomy NVD CVE-2021-43798. MITRE’s CVE record confirms the identifier and references for coordination across tooling and advisories MITRE CVE-2021-43798.

Why it matters

Inclusion in the KEV Catalog means exploitation isn’t hypothetical—threat actors are actively abusing this Grafana flaw in real environments, driving a mandatory remediation clock for federal networks and a de facto urgency signal for everyone else CISA KEV. Path traversal lets an attacker retrieve arbitrary local files that the Grafana process can read, turning an observability node into an information disclosure pivot NVD CVE-2021-43798. Even without code execution, sensitive configuration and credential material commonly resides on hosts, and reading those files can directly enable lateral movement and further compromise NVD CVE-2021-43798.

Operationally, Grafana often sits at the crossroads of infrastructure visibility and authentication backends; compromising the confidentiality of its host’s filesystem can undermine monitoring integrity and expose downstream systems that rely on the same credentials or tokens NVD CVE-2021-43798. Because CISA only lists issues with evidence of exploitation, expect opportunistic scanning and automated exploitation attempts to continue while unpatched instances remain exposed CISA KEV.

Technical detail

CVE-2021-43798 is a directory traversal (CWE-22) condition where user-controlled path components are insufficiently constrained, allowing traversal sequences to break out of the intended directory and access files elsewhere on disk NVD CVE-2021-43798. In Grafana, a crafted HTTP request can coerce the server into serving files from the host filesystem that should never be exposed to remote clients, leading to disclosure of arbitrary local files readable by the service account MITRE CVE-2021-43798. The essence of the flaw is improper validation/normalization of paths before file access, a hallmark of CWE-22 vulnerabilities NVD CVE-2021-43798.

Impact is information disclosure, not direct code execution: attackers can retrieve files but do not gain shell access solely via this vector; however, disclosure can cascade into credential theft or configuration leaks that enable follow-on attacks NVD CVE-2021-43798. CISA’s KEV designation confirms exploitation in real-world environments, which typically manifests as scripted enumeration of common sensitive paths on reachable Grafana endpoints CISA KEV.

Defense

• Patch/mitigate on deadline: CISA requires applying vendor mitigations or discontinuing use by the KEV due date for federal systems; treat that timeline as your floor and act now CISA KEV.
• Asset scoping and exposure reduction: identify all Grafana instances, especially those directly internet-exposed, and prioritize remediation for reachable surfaces first CISA KEV.
• Compensating controls: if patching isn’t immediately possible, place Grafana behind authenticated gateways or reverse proxies and block traversal patterns at the edge while you remediate; this reduces trivial file disclosure attempts against public endpoints NVD CVE-2021-43798.
• Detection and response: review HTTP access logs for suspicious path components indicative of traversal attempts and correlate with spikes in 200 responses on atypical paths; investigate any successful file retrievals outside expected asset directories MITRE CVE-2021-43798. Treat exposed secrets as compromised: rotate tokens and credentials that may reside on affected hosts NVD CVE-2021-43798.
• Governance: align remediation tracking with BOD 22-01 KEV processes to ensure timely closure and continuous validation of fixes across environments CISA KEV.

Lyrie Verdict

CVE-2021-43798 is being actively exploited, and traversal probes lend themselves to automation—exactly the kind of high-speed recon and abuse that machine agents excel at CISA KEV. Lyrie’s stance: don’t wait on humans to spot odd paths in logs. Autonomous detectors must fingerprint Grafana endpoints, simulate traversal patterns safely, and correlate HTTP responses with filesystem access telemetry to flag disclosure at wire speed NVD CVE-2021-43798. We treat KEV-listed CVEs as hot signals and automatically elevate scan depth and frequency until patched, closing the window scammers—and rogue AI exploiters—use to siphon files between human review cycles MITRE CVE-2021-43798.