Cyber Resilience

CVE-2023-48365

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 15 November 2023

Published
15 November 2023
Modified
31 October 2025
KEV Added
13 January 2025
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.5622 98.1th percentile
Risk Priority 73 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-48365 is a critical-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Qlik Qlik Sense. Its CVSS base score is 9.6 (Critical).

Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Qlik Sense Enterprise for Windows versions prior to the August 2023 Patch 2 are affected by CVE-2023-48365, a high-severity flaw that permits unauthenticated remote code execution. The root cause is improper validation of HTTP headers that allows request tunneling, and the issue stems from an incomplete remediation of the earlier CVE-2023-41265. The vulnerability carries a CVSS score of 9.6 and is tracked under CWE-444.

An attacker with network access can exploit the header-validation weakness to elevate privileges and forward arbitrary HTTP requests to the backend repository server, achieving remote code execution on that host without requiring authentication.

Vendor guidance published by Qlik directs customers to apply one of the listed fixed releases, specifically August 2023 Patch 2 or the corresponding back-ported patches for earlier branches. The flaw is also catalogued in CISA’s Known Exploited Vulnerabilities list, confirming in-the-wild exploitation.

The associated EPSS score has reached a peak of 0.6423 with a current value of 0.5622, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to…

more

execute HTTP requests on the backend server that hosts the repository application. The fixed versions are August 2023 Patch 2, May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, and November 2021 Patch 17. NOTE: this issue exists because of an incomplete fix for CVE-2023-41265.

CWE(s)
KEV Date Added
13 January 2025

Related Threats

Threat-Actor AttributionAI

Cl0paka Clop
Ransomware group Cl0p exploited Qlik Sense zero-days including this CVE per CISA KEV ransomware flag and 2023 vendor reporting.

Affected Assets

qlik
qlik sense
august_2022, august_2023, february_2022, february_2023, may_2022

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of HTTP headers and other inputs, which the CVE shows was missing and allowed request tunneling to the backend repository.

prevent

Enforces that only authenticated and authorized subjects may perform actions on the repository application, blocking the unauthenticated privilege escalation path.

prevent

Mandates timely application of vendor patches (August 2023 Patch 2 and equivalents) that close the incomplete fix for CVE-2023-41265.

References