Skip to main content
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

ZeroQlik HTTP Request Tunneling in Qlik Sense Enterprise for Windows

IdentifiersCVE-2023-41265CWE-444· Inconsistent Interpretation of…

CVE-2023-41265 is an HTTP request tunneling/request smuggling vulnerability in Qlik Sense Enterprise for Windows. According to the provided content, the issue exists in the Qlik proxy’s request forwarding logic, where the proxy prioritizes Content-Length while also forwarding Transfer-Encoding, creating a parsing discrepancy with backend services. This allows a remote attacker to tunnel a second HTTP request inside the raw HTTP request body so that the backend repository service processes attacker-controlled requests that were not intended to be exposed through the proxy’s normal security model. The vulnerability can bypass proxy header restrictions and enable impersonation of trusted internal identities by smuggling requests that include privileged X-Qlik-* headers, including X-Qlik-User. In practice, the backend repository service trusts these headers on the proxy-to-backend channel, so successful exploitation can elevate privileges and, when combined with reachable privileged repository APIs such as /qrs/externalprogramtask, can lead to arbitrary command execution. The content also notes this flaw is commonly discussed together with CVE-2023-41266 and referred to as ZeroQlik in public reporting.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote attacker to elevate privileges by causing the backend repository application to execute tunneled requests that bypass the proxy’s intended controls. This can permit impersonation of privileged internal service identities, execution of administrative actions in Qlik Sense, creation of malicious external program tasks, and, in exploitation chains described in the provided content, unauthenticated remote code execution on the Windows host running Qlik Sense services. Real-world reporting in the supplied content links exploitation of this vulnerability set to Cactus ransomware intrusions, where attackers used the access to launch follow-on tooling, establish persistence, move laterally, and ultimately deploy ransomware.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by removing or strictly limiting direct internet access to Qlik Sense Enterprise for Windows, especially the proxy-facing interface. Place the service behind tightly controlled access paths, restrict source IPs where feasible, and monitor for suspicious requests involving malformed HTTP framing, dual Content-Length/Transfer-Encoding usage, and traversal patterns associated with related Qlik exploitation. Review Qlik proxy audit logs for anomalous requests to /resources/qmc/fonts/ with font extensions and inspect for suspicious child processes spawned by Scheduler.exe, as noted in the provided content. These measures are compensating controls only and do not fully remediate the vulnerability.

Remediation

Patch, then assume compromise.

Apply Qlik’s fixed releases for Qlik Sense Enterprise for Windows. The provided content states CVE-2023-41265 is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13. Additional supplied material indicates later cumulative fixes were also released in subsequent branch updates. Organizations should upgrade to a vendor-fixed version on their supported branch and replace end-of-support releases. Because this vulnerability is discussed as part of an exploit chain with CVE-2023-41266, remediation should ensure the full vendor security update covering both issues is installed.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
QlikQlik Senseapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
halcyon attacks newsNews
Aug 4, 2025
Power Rankings: Ransomware Malicious Quartile Q2-2025

A vulnerability in Qlik Sense exploited by Cactus ransomware for initial access.

Read more
ncc group researchNews
Apr 25, 2024
Sifting through the spines: identifying (potential) Cactus ransomware victims

A Qlik Sense vulnerability known as ZeroQlik that is discussed as part of the exploit chain used by the Cactus ransomware group.

Read more
kyberturvallisuuskeskus alertsNews
Nov 30, 2023
Kriittinen haavoittuvuus Qlik Sense -tuotteessa | Traficom

A specific vulnerability affecting Qlik Sense Enterprise for Windows referenced in a vendor advisory and linked to reporting about exploitation.

Read more
kyberturvallisuuskeskus alertsNews
Nov 30, 2023
Kriittinen haavoittuvuus Qlik Sense -tuotteessa | Traficom

A specific vulnerability affecting Qlik Sense Enterprise for Windows that is referenced in vendor advisories and linked to reporting on exploitation.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence1

Every observed campaign linking this CVE to a named adversary.

Associated malware6

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2023-41265
NVD
nvd.nist.gov/vuln/detail/CVE-2023-41265
MITRE CWE · CWE-444
Inconsistent Interpretation of HTTP Requests…
Vendor Advisory
community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2110801
Release Notes
community.qlik.com/t5/Release-Notes/tkb-p/ReleaseNotes
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-41265