CVE-2023-48365

What is Qlik Sense?

Qlik Sense is an enterprise business intelligence and data analytics platform — a self-service BI tool used by organizations to create dashboards, analyze data, and visualize business metrics. Qlik Sense Enterprise for Windows is the self-hosted version, deployed on-premises by enterprises in finance, healthcare, retail, and manufacturing. Qlik Sense servers often have broad database connectivity (they need to reach data sources across the enterprise) and run with service-level privileges on Windows, making their compromise a valuable pivot point for lateral movement and credential harvesting.

Overview

CVE-2023-48365 is a critical HTTP tunneling vulnerability in Qlik Sense Enterprise for Windows that allows an authenticated attacker with low-privilege access (any valid Qlik account) to tunnel HTTP requests through the Qlik Sense proxy to reach internal backend services with elevated privileges. It is a follow-on to CVE-2023-41265 — an earlier HTTP tunneling vulnerability where the fix in August 2023 was incomplete. Cactus ransomware operators exploited both the original vulnerability and this bypass in targeted attacks against enterprise Qlik Sense deployments, as documented by Arctic Wolf in November 2023. CISA added CVE-2023-48365 to KEV in January 2025, over a year after the patch.

Affected Versions

Technical Details

CWE-444 (Inconsistent Interpretation of HTTP Requests, HTTP Request Smuggling). The Qlik Sense Enterprise proxy component does not consistently validate HTTP requests before forwarding them to backend services. An attacker who can authenticate with a low-privilege Qlik account can craft HTTP requests that tunnel through the proxy to internal Qlik Sense backend services that are not intended to be publicly accessible. By reaching these backend services directly — bypassing the normal proxy authorization layer — the attacker can execute requests with elevated server-side privileges.

The exploitation chain observed with Cactus ransomware chained this tunneling bypass with server-side functionality to achieve remote code execution on the Qlik Sense server, followed by credential harvesting, lateral movement, and ransomware deployment. The Scope Changed (S:C) rating reflects that the tunneling attack crosses from the public-facing proxy context into the internal backend service context.

Discovery

The original HTTP tunneling vulnerability (CVE-2023-41265/41266) was discovered by Praetorian. The bypass (CVE-2023-48365) was identified as an incomplete fix. Active exploitation was documented by Arctic Wolf in November 2023, who published research attributing attacks to Cactus ransomware operators targeting enterprises with unpatched Qlik Sense installations.

Exploitation Context

Cactus ransomware (active since early 2023) specifically targeted Qlik Sense Enterprise deployments as an initial access vector. Unlike many ransomware groups that use phishing or credential stuffing, Cactus demonstrated a pattern of exploiting enterprise software vulnerabilities — particularly data analytics and file transfer platforms — as their entry point. Qlik Sense's widespread enterprise deployment and service-level database access made it an attractive target: gaining code execution on the Qlik Sense server typically provides access to database credentials for multiple data sources across the organization.

The long gap between patch (November 2023) and CISA KEV addition (January 2025) reflects ongoing exploitation of organizations that had not yet applied the November 2023 patch, including victims of continued Cactus ransomware campaigns throughout 2024.

Remediation

1. Apply the Qlik Sense November 2023 (or later) patch immediately — this addresses both CVE-2023-48365 and closes the prior CVE-2023-41265 attack surface.
2. Verify that the August 2023 patch for CVE-2023-41265/41266 was also applied — both patches are required for full remediation.
3. If internet-exposed Qlik Sense instances have not received the November 2023 patch, treat them as potentially compromised and perform a forensic review.
4. Restrict Qlik Sense access to authenticated, trusted users via corporate SSO — guest or anonymous access expands the attacker's ability to reach the tunneling endpoint.
5. Review Qlik Sense access logs for anomalous HTTP request patterns, unexpected backend service calls, or evidence of unauthorized data access.
6. Enforce network segmentation to limit Qlik Sense's database connectivity to only the specific data sources it legitimately needs — this reduces the blast radius if the Qlik server is compromised.