The Cybersecurity and Infrastructure Security Agency (CISA) recently added two critical vulnerabilities affecting the widely-used data analytics tool Qlik Sense to its list of exploited bugs, setting a deadline of December 28 for federal civilian agencies to address these issues.
Identified as CVE-2023-41265 and CVE-2023-41266, these vulnerabilities were uncovered in Qlik Sense during the summer. If successfully exploited, hackers can gain entry into systems and elevate their privileges, potentially compromising servers running the software.
Qlik, in its advisory on December 5, highlighted the severity of these vulnerabilities, warning that the exploitation of both could lead to a compromise of Qlik Sense servers. The company has received reports suggesting malicious actors are leveraging these vulnerabilities.
Rated with severity scores of 9.6 and 8.2 respectively, these vulnerabilities were discovered by Praetorian researchers in August. Notably, all versions of Qlik Sense Enterprise for Windows preceding May are vulnerable, and there are currently no mitigations available.
Security experts and researchers have noted the exploitation of these vulnerabilities by the Cactus ransomware gang in a series of attacks since their discovery. Viakoo Labs’ Vice President, John Gallagher, emphasized the widespread usage of Qlik Sense, estimating around 40,000 users. However, he highlighted that proper deployment of Qlik Sense, without exposure to the public internet, significantly reduces the attack surface.
Praetorian researchers started exploring Qlik Sense issues due to the software’s prevalence on Shodan (approximately 6,000 externally facing instances) and its critical role in data analytics, posing as a high-value target for potential attacks. They highlighted the software’s access to database credentials and internal network environments in corporate settings as factors intensifying its attractiveness to threat actors.