If there’s anything the past few years should have taught businesses, it is that if you think you can just wait a month or a few months to patch vulnerabilities when a patch is released, expect to hacked by threat actors who are already searching for businesses that haven’t patched. In this week’s example, Bleeping Computer reports:
Cactus ransomware has been exploiting critical vulnerabilities in the Qlik Sense data analytics solution to get initial access on corporate networks.
Qlik Sense supports multiple data sources and allows users to create custom data reports or interactive visualizations that can serve in decision making processes. The product can work both locally or in the cloud.
In late August, the vendor released security updates for two critical vulnerabilities affecting the Windows version of the platform. One of the vulnerabilities, a path traversal bug tracked as CVE-2023-41266, could be exploited to generate anonymous sessions and perform HTTP requests to unauthorized endpoints.
The second issue, tracked as CVE-2023-41265 and with a critical severity of 9.8, does not require authentication and can be leveraged to elevate privileges and execute HTTP requests on the backend server that hosts the application.
On September 20, Qlik discovered that the fix for CVE-2023-41265 was insufficient provided a new update, tracking the issue as a separate vulnerability identified as CVE-2023-48365.
In a recent report, cybersecurity company Arctic Wolf warns of Cactus ransomware actively exploiting these flaws on publicly-exposed Qlik Sense instances that remain unpatched.
Read more at Bleeping Computer.