Researchers at GreyNoise observed a sudden spike in attempts to exploit a well-known Grafana flaw. This vulnerability, tracked as CVE-2021-43798, allows attackers to traverse paths on a server and read any file they choose.
Over the course of a single day, 110 unique IP addresses scanned GreyNoise’s Global Observation Grid for vulnerable Grafana instances. All of these addresses were marked malicious.
A One-Day Surge in Activity
Grafana exploitation had been quiet in recent months, making the 28 September surge especially notable.
All 110 IPs attempted to reach Grafana servers in just three countries: the United States, Slovakia, and Taiwan.
Most attack sources came from Bangladesh, which accounted for 107 of the IPs. China and Germany contributed two and one IPs respectively.
Nearly all Bangladesh-based addresses focused on U.S. targets. Intriguingly, the bulk of these IPs made their first appearance on the same day they launched their attacks, suggesting they were spun up specifically for this campaign.
The distribution of attack traffic followed a consistent 3:1:1 ratio across destinations, whether the source was Bangladesh, China, or Germany.
China-based IPs attacked U.S., Slovakia, and Taiwan targets in a 7:2:2 pattern. Germany’s sole address followed a 3:1:1 split.
Bangladesh-based IPs also adhered closely to 100:1:1. Furthermore, TCP and HTTP fingerprints seen in the scans indicate at least two distinct tools were used against the same set of servers.
This combination of uniform targeting and shared tooling suggests a coordinated campaign or a commonly used exploit kit rather than random, isolated scans.
Two China-based addresses 60.186.152.35 and 122.231.163.197 stand out. Both belong to the CHINANET-BACKBONE network, appeared only on 28 September, and focused exclusively on Grafana path traversal attempts.
Exploiting older high-impact flaws like CVE-2021-43798 is a common tactic. Security advisories have documented how path traversal and related Grafana vulnerabilities have been woven into large-scale SSRF waves and reconnaissance phases of multi-step exploit chains.
Tools and research around more recent Grafana flaws, such as CVE-2025-6023, continue to expand, making these platforms a tempting target for attackers.
Organizations should immediately block the 110 malicious IPs identified on 28 September and verify that all Grafana servers are patched against CVE-2021-43798.
Reviewing access logs for signs of path traversal requests can confirm whether sensitive files were accessed.
Security teams interested in detailed network signatures used during this campaign can reach out to GreyNoise support for JA4+ fingerprints.
As attackers keep returning to old vulnerabilities, maintaining timely patches and vigilant monitoring remains the best defense.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
