CVE-2023-48365
published 2023-11-15CVE-2023-48365: Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP…
PriorityP197critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2025-02-03
Exploited in the wild
EPSS
24.68%
97.6th percentile
Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backend server that hosts the repository application. The fixed versions are August 2023 Patch 2, May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, and November 2021 Patch 17. NOTE: this issue exists because of an incomplete fix for CVE-2023-41265.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qlik | qlik_sense | — | — |
| qlik | qlik_sense | — | — |
| qlik | qlik_sense | — | — |
| qlik | qlik_sense | — | — |
| qlik | qlik_sense | — | — |
| qlik | qlik_sense | — | — |
| qlik | qlik_sense | — | — |
| qlik | qlik_sense | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlPOST /qrs/
cookieX-Qlik-Session=
path/qrs/ExternalProgramTask/create
- →The HTTP tunneling exploit is identified by a malformed Transfer-Encoding header value containing a comma and horizontal tab before 'chunked' (Transfer-Encoding: ,\x09chunked,\r\n), which bypasses header validation.
- →Exploit requests include both X-Qlik-xrfkey and X-Qlik-user headers alongside an X-Qlik-Session cookie, and target /qrs/ExternalProgramTask/create or /qrs/user endpoints with an xrfkey query parameter.
- →Post-exploitation: attackers use PowerShell and BITS to download tools, and redirect discovery command output into .TTF files — monitor for unusual .TTF file writes from Qlik Sense Scheduler service processes. ↗
- →Post-exploitation: monitor for the Qlik Sense Scheduler service spawning unexpected child processes, as attackers exploit the flaw to cause it to initiate new processes. ↗
- ·The Snort/Suricata rule (sid:2059793) requires TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to be effective against HTTPS-protected Qlik Sense instances.
- ·The vulnerability only affects Qlik Sense Enterprise for Windows; cloud-hosted instances have a different attack surface. ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vulncheck9.6CRITICAL
cisa9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2cxf-f44j-gqqf: Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683
ghsa_unreviewed·2023-11-16·CVSS 9.6
CVE-2023-48365 [CRITICAL] CWE-444 GHSA-2cxf-f44j-gqqf: Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683
Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backend server that hosts the repository application. The fixed versions are August 2023 Patch 2, May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, and November 2021 Patch 17. NOTE: this issue exists because of an incomplete fix for CVE-2023-41265.
VulnCheck
Qlik Sense HTTP Tunneling Vulnerability
vulncheck·2023·CVSS 9.6
CVE-2023-48365 [CRITICAL] CWE-444 Qlik Sense HTTP Tunneling Vulnerability
Qlik Sense HTTP Tunneling Vulnerability
Qlik Sense contains an HTTP tunneling vulnerability that allows an attacker to escalate privileges and execute HTTP requests on the backend server hosting the software.
Affected: Qlik Sense
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/; https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/; https://northwave-cybersecurity.com/whitepapers-articles/pricksense-how-cactus-exploits-qlik-sense; https://www.trustwave.com/hubfs/Web/Library/Documents_pdf/2024_Trustwa
CISA
Qlik Sense HTTP Tunneling Vulnerability
cisa·2025-01-13·CVSS 9.9
CVE-2023-48365 [CRITICAL] CWE-444 Qlik Sense HTTP Tunneling Vulnerability
Vulnerability: Qlik Sense HTTP Tunneling Vulnerability
Affected: Qlik Sense
Qlik Sense contains an HTTP tunneling vulnerability that allows an attacker to escalate privileges and execute HTTP requests on the backend server hosting the software.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/tac-p/2120510 ; https://nvd.nist.gov/vuln/detail/CVE-2023-48365
Remediation Due Date: 2025-02-03
Suricata
ET WEB_SPECIFIC_APPS Qlik Sense Enterprise HTTP Request Tunneling Attempt (CVE-2023-48365)
suricata·2025-01-31·CVSS 9.6
CVE-2023-48365 [CRITICAL] ET WEB_SPECIFIC_APPS Qlik Sense Enterprise HTTP Request Tunneling Attempt (CVE-2023-48365)
ET WEB_SPECIFIC_APPS Qlik Sense Enterprise HTTP Request Tunneling Attempt (CVE-2023-48365)
Rule: alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Qlik Sense Enterprise HTTP Request Tunneling Attempt (CVE-2023-48365)"; flow:established,to_server; content:"POST /qrs/"; pcre:"/^(?:ExternalProgramTask\x2fcreate|user)/R"; content:"|3f|xrfkey|3d|"; within:50; content:"X-Qlik-xrfkey|3a 20|"; nocase; distance:0; content:"X-Qlik-user|3a 20|"; distance:0; nocase; http.method; content:"HEAD"; http.cookie; content:"X-Qlik-Session|3d|"; http.header_names; content:"|0d 0a|X-Qlik-Xrfkey|0d 0a|"; fast_pattern; http.header; content:"Transfer-Encoding|3a 20 2c 09|chunked|2c 0d 0a|"; reference:url,www.praetorian.com/blog/doubleqlik-bypassing-the-original-fix-for-cve-2023-41265/; reference:cve
No public exploits indexed.
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bleepingcomputer
Magnet Goblin hackers use 1-day flaws to drop custom Linux malware
blogs_bleepingcomputer·2024-03-09·CVSS 9.8
[CRITICAL] Magnet Goblin hackers use 1-day flaws to drop custom Linux malware
## Magnet Goblin hackers use 1-day flaws to drop custom Linux malware
## Bill Toulas
A financially motivated hacking group named Magnet Goblin uses various 1-day vulnerabilities to breach public-facing servers and deploy custom malware on Windows and Linux systems.
1-day flaws refer to publicly disclosed vulnerabilities for which a patch has been released. Threat actors looking to exploit these flaws must do so quickly before a target can apply security updates.
Though exploits are usually not made available immediately upon a flaw's disclosure, some vulnerabilities are trivial to figure out how to leverage. Additionally, reverse-engineering the patch may reveal the underlying problem and how to exploit it.
Check Point analysts who identified Magnet Goblin report that these threat act
Checkpoint
Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities
blogs_checkpoint·2024-03-08·CVSS 4.9
CVE-2024-21887 [MEDIUM] Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities
## Key Points
Magnet Goblin is a financially motivated threat actor that quickly adopts and leverages 1-day vuln
Bleepingcomputer
Cactus ransomware exploiting Qlik Sense flaws to breach networks
blogs_bleepingcomputer·2023-11-30·CVSS 9.6
[CRITICAL] Cactus ransomware exploiting Qlik Sense flaws to breach networks
## Cactus ransomware exploiting Qlik Sense flaws to breach networks
## Bill Toulas
Cactus ransomware has been exploiting critical vulnerabilities in the Qlik Sense data analytics solution to get initial access on corporate networks.
Qlik Sense supports multiple data sources and allows users to create custom data reports or interactive visualizations that can serve in decision making processes. The product can work both locally or in the cloud.
In late August, the vendor released security updates for two critical vulnerabilities affecting the Windows version of the platform. One of the vulnerabilities, a path traversal bug tracked as CVE-2023-41266 , could be exploited to generate anonymous sessions and perform HTTP requests to unauthorized endpoints.
The second issue, tracked as CVE-2
Greynoiseio
NoiseLetter January 2025
blogs_greynoiseio
NoiseLetter January 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/tac-p/2120510https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/tac-p/2120510https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-48365
2023-11-15
Published
2025-01-13
Added to CISA KEV
Exploited in the wild