CVE-2023-41266
published 2023-08-29CVE-2023-41266: A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier…
PriorityP189medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-12-28
Exploited in the wild
EPSS
84.97%
99.7th percentile
A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows an unauthenticated remote attacker to generate an anonymous session. This allows them to transmit HTTP requests to unauthorized endpoints. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qlik | qlik_sense | — | — |
| qlik | qlik_sense | — | — |
| qlik | qlik_sense | — | — |
| qlik | qlik_sense | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/resources/qmc/fonts/
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Possible DoubleQlik RCE via Path Traversal (CVE-2023-41266)"; flow:established,to_server; http.method; content:"POST"; http.header; content:"X-Qlik-"; fast_pattern; http.uri.raw; content:"/resources/qmc/fonts/"; startswith; content:".ttf"; endswith; reference:url,praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/; reference:cve,2023-41266; classtype:web-application-attack; sid:2048366; rev:1; metadata:affected_product Qlik_Sense_Enterprise, created_at 2023_09_29, cve CVE_2023_41266, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_09_29, reviewed_at 2023_09_29, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
- →Exploit requests use HTTP POST with the header 'X-Qlik-' and a URI starting with '/resources/qmc/fonts/' and ending with '.ttf' — the path traversal payload traverses out of the fonts directory to reach unauthorized QRS endpoints.
- →Successful exploitation results in an anonymous session cookie being set; look for 'x-qlik-session' in Set-Cookie response headers alongside HTTP 400 responses containing 'The comparison expression does not consist of three elements'. ↗
- →Post-exploitation discovery command output is redirected into .TTF files, likely to exfiltrate results via the path traversal vulnerability — monitor for unusual .TTF files containing non-font data. ↗
- →The Qlik Sense Scheduler service spawning unexpected child processes (PowerShell, BITS transfers) is a strong indicator of exploitation. ↗
- →Shodan/FOFA fingerprinting: exposed Qlik Sense instances can be identified via favicon hash -74348711, HTML containing 'qlik', or page title 'qlik-sense'. ↗
- →Attackers uninstall Sophos antivirus as a defense evasion step — monitor for Sophos removal events on Qlik Sense hosts. ↗
- ·The Nuclei template uses a fixed xrfkey value ('1333333333333337') and session UUID ('13333333-3333-3333-3333-333333333337') for PoC detection; real attacker requests may use different values for these fields. ↗
- ·The Snort rule (sid:2048366) fires on POST requests; however, the path traversal can also be triggered via GET — the GET-based Nuclei PoC uses the same /resources/qmc/fonts/ path prefix with a .ttf suffix.
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vulncheck8.2HIGH
cisa6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fxf5-c62c-5f69: A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier
ghsa_unreviewed·2023-08-30
CVE-2023-41266 [MEDIUM] CWE-20 GHSA-fxf5-c62c-5f69: A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier
A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows an unauthenticated remote attacker to generate an anonymous session. This allows them to transmit HTTP requests to unauthorized endpoints. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
VulnCheck
Qlik Sense Path Traversal Vulnerability
vulncheck·2023·CVSS 8.2
CVE-2023-41266 [HIGH] CWE-20 Qlik Sense Path Traversal Vulnerability
Qlik Sense Path Traversal Vulnerability
Qlik Sense contains a path traversal vulnerability that allows a remote, unauthenticated attacker to create an anonymous session by sending maliciously crafted HTTP requests. This anonymous session could allow the attacker to send further requests to unauthorized endpoints.
Affected: Qlik Sense
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://research.checkpoint.com/2024/magnet-goblin-targets-pu
CISA
Qlik Sense Path Traversal Vulnerability
cisa·2023-12-07·CVSS 6.5
CVE-2023-41266 [MEDIUM] CWE-20 Qlik Sense Path Traversal Vulnerability
Vulnerability: Qlik Sense Path Traversal Vulnerability
Affected: Qlik Sense
Qlik Sense contains a path traversal vulnerability that allows a remote, unauthenticated attacker to create an anonymous session by sending maliciously crafted HTTP requests. This anonymous session could allow the attacker to send further requests to unauthorized endpoints.
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Notes: https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2110801 ; https://nvd.nist.gov/vuln/detail/CVE-2023-41266
Remediation Due Date: 2023-12-28
Suricata
ET WEB_SPECIFIC_APPS Possible DoubleQlik RCE via Path Traversal (CVE-2023-41266)
suricata·2023-09-29·CVSS 8.2
CVE-2023-41266 [HIGH] ET WEB_SPECIFIC_APPS Possible DoubleQlik RCE via Path Traversal (CVE-2023-41266)
ET WEB_SPECIFIC_APPS Possible DoubleQlik RCE via Path Traversal (CVE-2023-41266)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Possible DoubleQlik RCE via Path Traversal (CVE-2023-41266)"; flow:established,to_server; http.method; content:"POST"; http.header; content:"X-Qlik-"; fast_pattern; http.uri.raw; content:"/resources/qmc/fonts/"; startswith; content:".ttf"; endswith; reference:url,praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/; reference:cve,2023-41266; classtype:web-application-attack; sid:2048366; rev:1; metadata:affected_product Qlik_Sense_Enterprise, created_at 2023_09_29, cve CVE_2023_41266, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generate
Nuclei
Qlik Sense Enterprise - Path Traversal
nuclei·CVSS 6.5
CVE-2023-41266 [MEDIUM] Qlik Sense Enterprise - Path Traversal
Qlik Sense Enterprise - Path Traversal
A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows an unauthenticated remote attacker to generate an anonymous session. This allows them to transmit HTTP requests to unauthorized endpoints. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
Template:
id: CVE-2023-41266
info:
name: Qlik Sense Enterprise - Path Traversal
author: AdamCrosser
severity: medium
description: A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 P
Bleepingcomputer
Magnet Goblin hackers use 1-day flaws to drop custom Linux malware
blogs_bleepingcomputer·2024-03-09·CVSS 9.8
[CRITICAL] Magnet Goblin hackers use 1-day flaws to drop custom Linux malware
## Magnet Goblin hackers use 1-day flaws to drop custom Linux malware
## Bill Toulas
A financially motivated hacking group named Magnet Goblin uses various 1-day vulnerabilities to breach public-facing servers and deploy custom malware on Windows and Linux systems.
1-day flaws refer to publicly disclosed vulnerabilities for which a patch has been released. Threat actors looking to exploit these flaws must do so quickly before a target can apply security updates.
Though exploits are usually not made available immediately upon a flaw's disclosure, some vulnerabilities are trivial to figure out how to leverage. Additionally, reverse-engineering the patch may reveal the underlying problem and how to exploit it.
Check Point analysts who identified Magnet Goblin report that these threat act
Checkpoint
Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities
blogs_checkpoint·2024-03-08·CVSS 4.9
CVE-2024-21887 [MEDIUM] Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities
## Key Points
Magnet Goblin is a financially motivated threat actor that quickly adopts and leverages 1-day vuln
Bleepingcomputer
Cactus ransomware exploiting Qlik Sense flaws to breach networks
blogs_bleepingcomputer·2023-11-30·CVSS 9.6
[CRITICAL] Cactus ransomware exploiting Qlik Sense flaws to breach networks
## Cactus ransomware exploiting Qlik Sense flaws to breach networks
## Bill Toulas
Cactus ransomware has been exploiting critical vulnerabilities in the Qlik Sense data analytics solution to get initial access on corporate networks.
Qlik Sense supports multiple data sources and allows users to create custom data reports or interactive visualizations that can serve in decision making processes. The product can work both locally or in the cloud.
In late August, the vendor released security updates for two critical vulnerabilities affecting the Windows version of the platform. One of the vulnerabilities, a path traversal bug tracked as CVE-2023-41266 , could be exploited to generate anonymous sessions and perform HTTP requests to unauthorized endpoints.
The second issue, tracked as CVE-2
https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2110801https://community.qlik.com/t5/Release-Notes/tkb-p/ReleaseNoteshttps://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2110801https://community.qlik.com/t5/Release-Notes/tkb-p/ReleaseNoteshttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-41266
2023-08-29
Published
2023-12-07
Added to CISA KEV
Exploited in the wild