What happened

CISA added CVE-2023-48365 (Qlik Sense) to the Known Exploited Vulnerabilities (KEV) catalog on 2025-01-13, confirming in-the-wild exploitation and imposing a remediation due date of 2025-02-03 for U.S. federal agencies (CISA KEV). The KEV entry describes an HTTP tunneling flaw that lets an attacker escalate privileges and execute HTTP requests on the backend server hosting Qlik Sense (CISA KEV). The entry also flags “Known” ransomware campaign use, signaling active criminal adoption of this path (CISA KEV).

NVD tracks the same vulnerability under CVE-2023-48365 and maps it to CWE-444, “Inconsistent Interpretation of HTTP Requests,” a class commonly associated with HTTP desynchronization/smuggling behaviors (NVD). A corresponding MITRE CVE record provides canonical ID metadata (MITRE CVE).

Why it matters

Qlik Sense is often embedded at the center of data access and analytics workflows; a flaw that enables privilege escalation and backend HTTP request execution can enable unauthorized actions against services reachable from the application host (NVD). With CISA confirming exploitation and setting a binding due date for federal networks, laggard patch cycles translate directly into exposure windows adversaries can and will exploit (CISA KEV). The ransomware signal in KEV further indicates operationalized playbooks are already in circulation (CISA KEV).

Technical detail

Per KEV, CVE-2023-48365 is an HTTP tunneling vulnerability in Qlik Sense that allows an attacker to escalate privileges and issue HTTP requests on the backend server hosting the software (CISA KEV). NVD associates the issue with CWE-444, “Inconsistent Interpretation of HTTP Requests,” which covers request parsing discrepancies that can be abused to smuggle or desynchronize HTTP traffic between front-end and back-end components (NVD). In practice, this class can manifest when proxies and application servers disagree on message boundaries, enabling attackers to pivot their crafted payloads to backend handlers not intended for direct exposure (NVD).

The functional impact described by KEV—backend HTTP execution and privilege escalation—aligns with outcomes of HTTP tunneling/smuggling defects, where a single inbound request can trigger additional server-initiated HTTP exchanges under higher-privileged contexts (CISA KEV). That behavior materially expands attacker reach beyond the exposed surface, enabling interaction with services bound to loopback or internal interfaces reachable from the Qlik Sense host (NVD). The presence of “Known” ransomware use in KEV indicates adversaries have workable exploit sequences and are leveraging the flaw in real-world operations (CISA KEV).

For cross-referencing and consistent tracking across tools, the canonical identifier is CVE-2023-48365 with metadata available from MITRE’s CVE services (MITRE CVE).

Defense

• Patch/mitigate now: KEV requires agencies to apply vendor mitigations or discontinue use if mitigations are unavailable, with a due date of 2025-02-03 (CISA KEV). Treat the KEV due date as your organizational SLA as this vulnerability is confirmed exploited (CISA KEV).
• Reduce blast radius: Because the flaw enables backend HTTP requests from the Qlik Sense host, segment the application server from sensitive internal services and apply strict egress controls from that host (NVD). Even partial egress constriction can limit reachable internal endpoints during attempted tunneling (NVD).
• Detection and monitoring: Instrument for sudden or unusual server-initiated HTTP from the Qlik Sense process to local or internal addresses, since the core impact is backend HTTP execution from the app host (CISA KEV). Correlate single inbound requests that yield chained backend calls—an indicator consistent with CWE-444 style request desynchronization/tunneling (NVD).
• Front-end hardening: Where a reverse proxy or WAF is used, ensure consistent HTTP parsing semantics with the application server, as CWE-444 highlights exploitation via inconsistent interpretations of HTTP messages (NVD). This is a complement to, not a replacement for, patching, given active exploitation pressure (CISA KEV).

Lyrie Verdict

This is a live-fire, machine-speed exploitation path: CISA’s KEV status and due date confirm adversaries are operating now, not hypothetically (CISA KEV). The weakness sits at the HTTP transaction boundary where behavior is observable, as reflected by its CWE-444 classification (NVD). Lyrie prioritizes autonomous detection of backend-directed HTTP spawned by application-layer requests and correlates request-response sequences indicative of tunneling/desync patterns consistent with this CVE class (NVD). We enforce immediate containment on detection to close the gap between public exploitation confirmation and patch deployment, the same window ransomware crews exploit at scale (CISA KEV).