Advisory: Qlik Sense Enterprise Remote Code ExecutionIn an effort to safeguard our customers, we perform proactive vulnerability research with the goal of identifying zero-day vulnerabilities in applications that are likely to impact the security of leading organizations. Recently, we discovered two vulnerabilities which can be chained together to achieve unauthenticated remote code execution on Qlik Sense Enterprise.At the moment, we are waiting to publish technical details on the vulnerability to give impacted organizations time to update their systems and remediate the vulnerability. Disclosing further details at this time could put at risk the over six thousand externally facing instances of the application we discovered, including a large number of Fortune 500 companies, military, and government entities with self-hosted externally facing instances of Qlik Sense Enterprise. Praetorian has worked closely with Qlik to responsibly disclose these vulnerabilities, CVE-2023-41265 (HTTP Tunneling Vulnerability in Qlik Sense Enterprise for Windows) and CVE-2023-41266 (Path Traversal in Qlik Sense Enterprise for Windows).Product DescriptionQlik Sense is a business data analytics platform used for data visualization and analysis.ImpactExploiting these vulnerabilities allows an unauthenticated attacker to achieve full remote code execution and full administrative privileges within the impacted Qlik Sense instance.When will Praetorian publish technical details?We plan on publishing the full technical details of the vulnerability at a later date. At the moment we plan on withholding these technical details to increase the amount of time an attacker would need to develop a fully automated exploit to exploit this issue at scale and give impacted organizations time to patch their Qlik Sense Enterprise instances.How do I know if my organization is at risk?Praetorian is proactively reaching out to impacted organizations with public vulnerability disclosure and/or bug bounty programs along with current and former Praetorian customers where we have determined these organizations are running instances of the application through internet-wide scanning data.The best defense is a proactive one. Understanding your attack surface better and taking proactive steps to reduce exposures and better assess the impact of new vulnerabilities is a critical step of this process. If you’d like to know how the Chariot offensive security platform can help you stay one step ahead of attackers, please don’t hesitate to contact us for a demo. Labsin CVE