Date of Disclosure (source): September 20, 2023 (Security advisory released by vendor)
Date Reported as Actively Exploited (source): January 13, 2025
CVE-2023-48365 is a critical vulnerability affecting Qlik Sense Enterprise for Windows with a CVSS score of 9.9. All versions prior to and including these releases are impacted:
- August 2023 Patch 1
- May 2023 Patch 5
- February 2023 Patch 9
- November 2022 Patch 11
- August 2022 Patch 13
- May 2022 Patch 15
- February 2022 Patch 14
- November 2021 Patch 16
If successfully exploited, this vulnerability could lead to a compromise of the server running the Qlik Sense software, including unauthenticated remote code execution (RCE).
This vulnerability was initially patched by Qlik over a year ago in September 2023 where they warned the community that this vulnerability may be targeted by malicious actors. Despite this, this vulnerability was just recently added to CISA’s list of Known Exploited Vulnerabilities (KEV) this week on January 13, 2025.
Field |
Details |
CVE-ID |
CVE-2023-48365 – CVSS 9.9 (critical) – assigned by NVD |
Vulnerability Description |
Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backend server that hosts the repository application. |
Date of Disclosure |
September 20, 2023 (Security advisory released by vendor) |
Affected Assets |
Qlik Sense Enterprise for Windows |
Vulnerable Software Versions |
All versions prior to and including these releases are impacted:
- August 2023 Patch 1
- May 2023 Patch 5
- February 2023 Patch 9
- November 2022 Patch 11
- August 2022 Patch 13
- May 2022 Patch 15
- February 2022 Patch 14
- November 2021 Patch 16
|
PoC Available? |
No public exploits were observed at the time of writing. |
Exploitation Status |
This vulnerability is being actively exploited and was added to CISA KEV on January 13, 2025. |
Patch Status |
Qlik released patches for each of the affected releases in their security advisory published in September 2023. |
Censys Perspective
At the time of writing, Censys observed 11,185 exposed Qlik Sense instances online. A large proportion of these (26%) are geolocated in the United States. Note that not all instances observed are vulnerable as we do not have specific versions available.
While we are not able to detect version directly from our scan data, exposed instances often display version, release, and deployment type information at the following URI:
https://[exposed-instance]/resources/autogenerated/product-info.js?
Please note that this URI is not always publicly accessible on exposed instances.
Map of Exposed Qlik Sense Instances
Censys Search Query: (Note that this fingerprint was recently deployed and results may take 24 hours to fully propagate.)
services.software: (vendor="Qlik" and product="Qlik Sense") and not labels: {honeypot, tarpit}
Censys ASM Query:
host.services.software: (vendor="Qlik" and product="Qlik Sense")
or web_entity.instances.software: (vendor="Qlik" and product="Qlik Sense") and not host.labels: {honeypot, tarpit}
References