What is CVE-2023-48365?
CVE-2023-48365 is a critical pre-authentication remote code execution (RCE) vulnerability affecting Qlik Sense Enterprise for Windows. The flaw arises from improper validation of HTTP headers, allowing unauthenticated attackers to craft malicious HTTP requests that execute commands on the backend server hosting the Qlik repository service.
When Was the Vulnerability Discovered?
The vulnerability was publicly disclosed in August 2023, with reports indicating active exploitation in the wild thereafter. Armis Centrix™ for Early Warning, added CVE-2023-48365 to the list of known vulnerabilities being exploited in the wild on November 30, 2023, while CISA added CVE-2023-48365 to their KEV catalog on January 13, 2025, making Armis Centrix™ for Early Warning early by 410 days.
Significance CVE-2023-48365:
Vulnerable component: the vulnerability resides in the Qlik repository service, a critical backend component of Qlik Sense Enterprise for the Microsoft Windows operating system. This service facilitates communication between the Web frontend and the backend server, making it a high-value, intrinsically vulnerable target. CVE-2023-48365 affects Qlik Sense Enterprise for Windows versions prior to version August 2023, Patch 2.
Exploitation scenario: an attacker can exploit this vulnerability by sending a specially crafted HTTP request to a vulnerable Qlik Sense Enterprise instance. Since authentication is not required, the attack can be executed remotely without valid credentials, providing attackers with arbitrary code execution on the server.
Impact and blast radius: successful exploitation of CVE-2023-48365 grants attackers full control over the backend server, potentially allowing them to deploy malware or ransomware, exfiltrate sensitive data and or pivot to other systems in the network. With over 11,000 exposed Qlik Sense Enterprise instances identified globally as of recent, the potential for widespread exploitation is significant.
Value of Timely Awareness: early identification of this vulnerability is critical for organizations to prevent compromise of sensitive business data, reduce downtime caused by exploitation, maintain compliance with security standards and prevent regulatory penalties. Delays in addressing this vulnerability could result in significant security breaches, data theft, and operational disruptions, especially considering the active exploitation status.
Mitigation and Protection:
Proactive defense and workarounds: organizations using Qlik Sense Enterprise for Windows should immediately upgrade to the versions of the product released in August 2023 or later (August 2023 Patch 2, May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, and November 2021 Patch 17), which addresses this vulnerability. Alternatively, if upgrading is not an option, enforcing better network segmentation, restricting external access to Qlik Sense Enterprise servers using firewalls and access control lists (ACLs) is highly recommended. Performing proactive threat hunting, as well as using endpoint detection and response (EDR) tools to identify and investigate abnormal HTTP requests to the Qlik repository service can further reduce the likelihood of exploitation.
Continuous monitoring and updates: even after upgrading or hardening, it is highly recommended to monitor impacted systems for anomalous behaviours. For example: regularly analyze logs for unauthorized access attempts or unusual HTTP requests targeting Qlik services, integrate and operationalize threat intelligence on threat actors actively exploiting this vulnerability and, finally, perform incident response drills and table tops simulating exploitation scenarios to test the effectiveness of detection and response processes. By implementing these measures, organizations can significantly reduce the risk of compromise and ensure resilience against threat actors exploiting CVE-2023-48365.
Stay vigilant and ensure your systems are up-to-date to defend against evolving cybersecurity threats.
Armis Centrix™ for Early Warning is the proactive cybersecurity solution designed to empower organizations with early warning intelligence to anticipate and mitigate cyber risk effectively. By leveraging AI-driven actionable intelligence, Armis Centrix™ provides insights into the vulnerabilities that threat actors are exploiting in the wild or are about to weaponize, allowing organizations to understand their impact and take preemptive action.
Interested in learning more about Armis Centrix™ for Early Warning? Sign up for a demo today!