CriticalCISA KEVExploited in the wildPublic exploit

DoubleQlik / HTTP Tunneling RCE in Qlik Sense Enterprise for Windows

IdentifiersCVE-2023-48365CWE-20

CVE-2023-48365 (Qlik advisory QB-21683), also referred to as DoubleQlik, is a critical unauthenticated remote code execution vulnerability in Qlik Sense Enterprise for Windows. It affects versions before August 2023 Patch 2 and corresponding earlier supported patch levels on other release branches. The flaw is caused by improper or incomplete validation of HTTP headers, allowing a remote attacker to tunnel crafted HTTP requests through the front-end service to the backend server hosting the Qlik repository application. Because the issue is an incomplete fix for CVE-2023-41265, an attacker can abuse header handling to reach backend functionality that should not be exposed to unauthenticated users, resulting in privilege elevation and arbitrary code execution in the backend context.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthenticated remote code execution against the backend repository environment of the affected Qlik Sense server. An attacker can execute requests and code with the permissions of the backend service, leading to full compromise of the Qlik Sense instance, unauthorized access to application data and configuration, follow-on lateral movement, persistence, and use of the server as an initial access vector. The content also indicates real-world exploitation, including use by the Cactus ransomware group.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by removing direct internet access to Qlik Sense where feasible, restricting access through network controls, segmenting the Qlik environment from untrusted networks, and enforcing filtering or validation of suspicious HTTP headers at reverse proxies or other edge controls. Monitor for indicators of compromise and suspicious access to unauthenticated resources, and review systems for artifacts associated with known exploitation activity.

Remediation

Patch, then assume compromise.

Upgrade Qlik Sense Enterprise for Windows to a fixed release. The content identifies the fixed versions as: August 2023 Patch 2, May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, and November 2021 Patch 17. End-of-support versions should be upgraded or replaced. After patching, validate remediation through targeted testing and vulnerability scanning, and confirm that unauthenticated access paths and header-tunneling behavior are no longer possible.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

QlikQlik Senseapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

nuclei templates pull requestsNews

Mar 26, 2026

Add 5 KEV CVE templates (Fortinet, SonicWall, Qlik Sense) by ElromEvedElElyon · Pull Request #15698 · projectdiscovery/nuclei-templates · GitHub

A remote code execution vulnerability in Qlik Sense Enterprise involving HTTP tunneling.

greynoise blogNews

Feb 2, 2026

The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates

A Qlik vulnerability that CISA KEV’s knownRansomwareCampaignUse field silently flipped to Known during 2025 (evidence of ransomware campaign use).

cyberthroneNews

Aug 22, 2025

CISA KEV Catalog H1 2025 Analysis

A high-severity HTTP tunneling vulnerability in Qlik Sense Enterprise for Windows, allowing privilege escalation and remote exploitation.

halcyon attacks newsNews

Aug 4, 2025

Power Rankings: Ransomware Malicious Quartile Q2-2025

A vulnerability in Qlik Sense exploited by Cactus ransomware for initial access.

+6 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence2

Every observed campaign linking this CVE to a named adversary.

Associated malware7

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2023-48365

NVD

nvd.nist.gov/vuln/detail/CVE-2023-48365

MITRE CWE · CWE-20

cwe.mitre.org

Vendor Advisory

community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/tac-p/2120510

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-48365