cbcvebase.
CVE-2023-41265
published 2023-08-29

CVE-2023-41265: An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and…

PriorityP198critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-12-28
Exploited in the wild
EPSS
84.97%
99.7th percentile
An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows a remote attacker to elevate their privilege by tunneling HTTP requests in the raw HTTP request. This allows them to send requests that get executed by the backend server hosting the repository application. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.

Affected

8 ranges
VendorProductVersion rangeFixed in
qlikqlik_sense
qlikqlik_sense
qlikqlik_sense
qlikqlik_sense
qlikqlik_sense
qlikqlik_sense
qlikqlik_sense
qlikqlik_sense

Detection & IOCsextracted from sources · hover to see the quote

path/resources/qmc/fonts/CVE-2023-41265.ttf
path/resources/qmc/fonts/
path/qrs/
snort
alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Qlik Sense Enterprise HTTP Request Tunneling Attempt (CVE-2023-48365)"; flow:established,to_server; content:"POST /qrs/"; pcre:"/^(?:ExternalProgramTask\x2fcreate|user)/R"; content:"|3f|xrfkey|3d|"; within:50; content:"X-Qlik-xrfkey|3a 20|"; nocase; distance:0; content:"X-Qlik-user|3a 20|"; distance:0; nocase; http.method; content:"HEAD"; http.cookie; content:"X-Qlik-Session|3d|"; http.header_names; content:"|0d 0a|X-Qlik-Xrfkey|0d 0a|"; fast_pattern; http.header; content:"Transfer-Encoding|3a 20 2c 09|chunked|2c 0d 0a|"; reference:url,www.praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/; reference:cve,2023-48365; classtype:attempted-admin; sid:2059793; rev:1;)
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Possible DoubleQlik RCE via Path Traversal (CVE-2023-41266)"; flow:established,to_server; http.method; content:"POST"; http.header; content:"X-Qlik-"; fast_pattern; http.uri.raw; content:"/resources/qmc/fonts/"; startswith; content:".ttf"; endswith; reference:url,praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/; reference:cve,2023-41266; classtype:web-application-attack; sid:2048366; rev:1;)
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Possible DoubleQlik RCE via HTTP Request Tunneling Payload (CVE-2023-41265)"; flow:established,to_server; http.method; content:"POST"; http.header; content:"X-Qlik-"; fast_pattern; http.content_len; bsize:1; content:"0"; endswith; http.request_body; bsize:>0; reference:url,praetorian.com/blog/qlik-sense-technical-exploit/; reference:cve,2023-41265; reference:url,praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/; classtype:web-application-attack; sid:2048365; rev:3;)
bytes
Transfer-Encoding: ,\x09chunked
  • HTTP Request Tunneling exploit sends a POST request with header 'X-Qlik-' present, Content-Length of exactly 1 byte set to '0', but a non-empty request body — indicating a smuggled/tunneled inner request
  • Tunneling bypass (CVE-2023-48365 / DoubleQlik) uses a malformed Transfer-Encoding header value of ', \x09chunked' (comma + tab before 'chunked') to evade the original patch
  • Exploit targets /qrs/ endpoints, specifically ExternalProgramTask/create or user paths, with HEAD method tunneled inside, and X-Qlik-Session cookie present
  • Path traversal component of the chained attack (CVE-2023-41266) uses POST requests to /resources/qmc/fonts/*.ttf URIs with X-Qlik- headers; discovery command output is redirected into .TTF files
  • Post-exploitation: attackers use BITS (Background Intelligent Transfer Service) and PowerShell to download tools; rclone is disguised as svchost.exe for data exfiltration; Plink renamed to putty.exe for RDP tunneling
  • Shodan/FOFA fingerprinting: Qlik Sense instances can be identified by favicon hash -74348711, HTML containing 'Qlik', or title 'qlik-sense'
  • Nuclei probe expects HTTP 400 response with Set-Cookie header containing 'x-qlik-session' and 'Bad Request' in response headers as confirmation of vulnerable tunneling behavior
  • Cactus ransomware uses ManageEngine UEMS executables disguised as Qlik files for persistence after exploiting CVE-2023-41265
  • Attackers uninstall Sophos antivirus and change the administrator password as defense evasion steps following initial exploitation
  • ·The Snort rule for CVE-2023-48365 (sid:2059793) requires TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to be effective in encrypted traffic environments.
  • ·The Nuclei template uses 'unsafe: true' mode to send a raw HTTP/1.1 request with both Content-Length and Transfer-Encoding headers simultaneously, which standard HTTP clients would reject — ensure the scanner supports unsafe raw request mode.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vulncheck9.6CRITICAL
cisa9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.