Skip to content
New Report: Get your copy of The 2024 State of the Internet Report! | Download Today
Advisory

January 15 Advisory: Qlik Sense RCE Vulnerability Added to CISA KEV [CVE-2023-48365]

Date of Disclosure (source): September 20, 2023 (Security advisory released by vendor)
Date Reported as Actively Exploited (source): January 13, 2025

CVE-2023-48365 is a critical vulnerability affecting Qlik Sense Enterprise for Windows with a CVSS score of 9.9. All versions prior to and including these releases are impacted: 

  • August 2023 Patch 1
  • May 2023 Patch 5
  • February 2023 Patch 9
  • November 2022 Patch 11
  • August 2022 Patch 13
  • May 2022 Patch 15
  • February 2022 Patch 14
  • November 2021 Patch 16

If successfully exploited, this vulnerability could lead to a compromise of the server running the Qlik Sense software, including unauthenticated remote code execution (RCE).

This vulnerability was initially patched by Qlik over a year ago in September 2023 where they warned the community that this vulnerability may be targeted by malicious actors. Despite this, this vulnerability was just recently added to CISA’s list of Known Exploited Vulnerabilities (KEV) this week on January 13, 2025. 

 

Field Details
CVE-ID CVE-2023-48365 – CVSS 9.9 (critical) – assigned by NVD
Vulnerability Description Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backend server that hosts the repository application.
Date of Disclosure September 20, 2023 (Security advisory released by vendor)
Affected Assets Qlik Sense Enterprise for Windows 
Vulnerable Software Versions  All versions prior to and including these releases are impacted: 

  • August 2023 Patch 1
  • May 2023 Patch 5
  • February 2023 Patch 9
  • November 2022 Patch 11
  • August 2022 Patch 13
  • May 2022 Patch 15
  • February 2022 Patch 14
  • November 2021 Patch 16
PoC Available? No public exploits were observed at the time of writing. 
Exploitation Status This vulnerability is being actively exploited and was added to CISA KEV on January 13, 2025. 
Patch Status Qlik released patches for each of the affected releases in their security advisory published in September 2023. 

Censys Perspective

At the time of writing, Censys observed 11,185 exposed Qlik Sense instances online. A large proportion of these (26%) are geolocated in the United States. Note that not all instances observed are vulnerable as we do not have specific versions available. 

While we are not able to detect version directly from our scan data, exposed instances often display version, release, and deployment type information at the following URI:

https://[exposed-instance]/resources/autogenerated/product-info.js?

Please note that this URI is not always publicly accessible on exposed instances. 

Map of Exposed Qlik Sense Instances

Censys Search Query: (Note that this fingerprint was recently deployed and results may take 24 hours to fully propagate.)

services.software: (vendor="Qlik" and product="Qlik Sense") and not labels: {honeypot, tarpit}

Censys ASM Query:

host.services.software: (vendor="Qlik" and product="Qlik Sense")
or web_entity.instances.software: (vendor="Qlik" and product="Qlik Sense") and not host.labels: {honeypot, tarpit}

References

Attack Surface Management Solutions
Learn more