Austin, TX – September 20, 2023 – Praetorian Security, Inc. announced today that its vulnerability research team identified a bypass of the original fix for CVE-2023-41265, which they had previously identified in Qlik Sense Enterprise. The bypass allowed for unauthorized remote code execution. After the offensive security company’s engineers disclosed the new vulnerability to Qlik Sense, the vendor released a second patch and acquired a new CVE for tracking purposes (CVE-2023-Pending).

Adam Crosser, the Praetorian engineer who uncovered both the initial vulnerability and the patch bypass, worked with Qlik Sense to validate the new patch. He confirms that it now implements a more robust filtering mechanism that is less prone to potential bypass vulnerabilities. Praetorian encourages organizations using Qlik Sense Enterprise to verify the version they are running and apply Qlik’s new patch (details here).

Praetorian strongly believes that responsible disclosure includes postponing explanation of technical details until end users of affected instances have had time to implement a patch. The company therefore will release the technical details of the bypass exploit at a later date. For the details of the initial exploit, see Crosser’s article from August 31, 2023, ZeroQlik: Achieving Unauthenticated Remote Code Execution via HTTP Request Tunneling and Path Traversal.

About Praetorian

Praetorian Security, Inc. offers offensive security services that pair adversarial experts with Chariot, our continuous offensive security platform, to detect vulnerabilities across complex digital environments. Whether supporting ad-hoc projects or managing continuous improvement programs, we maintain radical customer focus as we inform strategic decision making through technical analysis across the full range of enterprise security needs. With Praetorian as the vanguard, enterprises stay ahead of attackers.