CVE-2023-41265

What is Qlik Sense?

Qlik Sense Enterprise for Windows is a widely deployed business intelligence and data analytics platform used by organizations to create interactive dashboards, reports, and data visualizations from enterprise data sources. It runs as a multi-service application on Windows Server, exposing a web interface for end users and REST APIs for integration. Qlik Sense connects to databases, data warehouses, and cloud data sources — it often stores database credentials, API keys, and sensitive business data processed through its analytics engine. The Qlik Sense server-side processing infrastructure, when compromised, provides an attacker with access to all data ingested into the analytics platform.

Overview

CVE-2023-41265 is an HTTP request tunneling vulnerability in Qlik Sense Enterprise for Windows that allows a low-privilege authenticated attacker to tunnel arbitrary HTTP requests to the backend Qlik Sense Engine Service, bypassing authentication controls and reaching services that should not be directly accessible. Qlik patched it in August 2023, but attackers bypassed the fix — Qlik subsequently patched the bypass as CVE-2023-48365 in October 2023. Cactus ransomware operators actively exploited unpatched Qlik Sense instances to gain initial access, moving laterally through victim networks before deploying ransomware. CISA added CVE-2023-41265 to KEV in December 2023.

Affected Versions

Qlik Sense Cloud is not affected — cloud tenants are managed by Qlik and receive updates automatically.

Technical Details

CWE-444 (Inconsistent Interpretation of HTTP Requests / HTTP Request Smuggling). Qlik Sense Enterprise uses a reverse proxy architecture where the frontend proxy routes requests to backend services including the Qlik Sense Engine Service, Repository Service, and other internal components. A flaw in how the proxy interprets chunked HTTP transfer encoding allows an attacker to smuggle additional HTTP requests inside a single proxied request — a technique known as HTTP request tunneling.

An attacker with low-level Qlik Sense credentials (a standard user account) can craft a specially formatted HTTP request that the frontend proxy interprets as a single valid request, but that the backend service processes as two separate requests. The tunneled inner request bypasses the proxy's authorization checks and reaches backend services as if it originated from an authenticated administrator. This allows privilege escalation from a standard Qlik user to full backend service access.

The Scope Changed (S:C) rating reflects that the impact extends beyond the attacker's own Qlik user context to the broader backend infrastructure accessible through the tunneled requests.

CVE-2023-48365 is a bypass of the August 2023 patch — attackers adapted their technique to circumvent the initial fix, requiring a second patch cycle.

Discovery

Discovered by security researchers and reported to Qlik. The August 2023 advisory covered CVE-2023-41265 (HTTP tunneling) alongside CVE-2023-41266 (path traversal). The public disclosure accelerated attacker development of weaponized exploitation chains.

Exploitation Context

Cactus ransomware operators were the primary confirmed exploiters of CVE-2023-41265. Threat intelligence from Arctic Wolf and other security firms documented Cactus actors scanning for and exploiting internet-accessible Qlik Sense instances to establish initial footholds, then moving laterally through victim networks before deploying Cactus ransomware for data theft and encryption extortion.

The exploitation pattern exploited the gap between the August 2023 patch (for CVE-2023-41265) and the October 2023 patch (for the bypass CVE-2023-48365) — many organizations that had not applied the August patch or had applied it without testing for the bypass remained vulnerable into late 2023. The KEV deadline of December 28, 2023 reflects the active exploitation campaign during this period.

Remediation

1. Apply Qlik Sense Enterprise for Windows October 2023 patches (addressing both CVE-2023-41265 and its bypass CVE-2023-48365) — the August 2023 patch alone is insufficient.
2. Also apply patches for CVE-2023-48365, which bypassed the initial August 2023 fix — treat both CVEs as a single remediation requirement.
3. Restrict Qlik Sense's web interface to authenticated corporate users — the platform should not be publicly internet-accessible without VPN or IP allowlisting.
4. Review Qlik Sense access logs for unusual API requests, particularly requests from non-admin users reaching Engine Service or Repository Service endpoints.
5. Check for signs of post-exploitation: new administrative accounts in Qlik Sense, unexpected data connections or app exports, or evidence of lateral movement tools deployed on the Qlik Sense server host.
6. Rotate credentials stored in Qlik Sense data connections — database usernames and passwords, API keys, and cloud credentials that may have been accessible via the tunneled backend requests.