diff --git a/embed/templates/systemd/system.service.tpl b/embed/templates/systemd/system.service.tpl
index 9503bb46cb..9b3f070eea 100644
--- a/embed/templates/systemd/system.service.tpl
+++ b/embed/templates/systemd/system.service.tpl
@@ -21,6 +21,9 @@ LimitCORE={{.LimitCORE}}
 LimitNOFILE=1000000
 LimitSTACK=10485760
 
+{{- if .GrantCapNetRaw}}
+AmbientCapabilities=CAP_NET_RAW
+{{- end}}
 User={{.User}}
 ExecStart={{.DeployDir}}/scripts/run_{{.ServiceName}}.sh
 {{- if eq .ServiceName "prometheus"}}
diff --git a/pkg/cluster/task/monitored_config.go b/pkg/cluster/task/monitored_config.go
index 60fb814d01..d6d0974595 100644
--- a/pkg/cluster/task/monitored_config.go
+++ b/pkg/cluster/task/monitored_config.go
@@ -105,6 +105,11 @@ func (m *MonitoredConfig) syncMonitoredSystemConfig(ctx context.Context, exec ct
 		WithIOReadBandwidthMax(resource.IOReadBandwidthMax).
 		WithIOWriteBandwidthMax(resource.IOWriteBandwidthMax)
 
+	// blackbox_exporter needs cap_net_raw to send ICMP ping packets
+	if comp == spec.ComponentBlackboxExporter {
+		systemCfg.GrantCapNetRaw = true
+	}
+
 	if err := systemCfg.ConfigToFile(sysCfg); err != nil {
 		return err
 	}
diff --git a/pkg/cluster/template/systemd/system.go b/pkg/cluster/template/systemd/system.go
index 4f33400c53..51622b46cf 100644
--- a/pkg/cluster/template/systemd/system.go
+++ b/pkg/cluster/template/systemd/system.go
@@ -33,6 +33,7 @@ type Config struct {
 	LimitCORE           string
 	DeployDir           string
 	DisableSendSigkill  bool
+	GrantCapNetRaw      bool
 	// Takes one of no, on-success, on-failure, on-abnormal, on-watchdog, on-abort, or always.
 	// The Template set as always if this is not setted.
 	Restart string