CVEs - Compromised Website Report.
Description
This report identifies websites reported to have been compromised together with Content Management Systems (CMS) software and other devices that have also been reported to have been compromised with web shells or implants that are accessible via the Hypertext Transfer Protocol (HTTP). Finally, the report includes HTML lnks to Common Vulnerabilities & Exposures (CVEs) that have been publicly disclosed by the respective vendors of the software applications reported to have been compromised. It is believed the websites, software products and devices identified in the report were compromised through these unpatched vulnerabilities.
Affected Software Products.
| No. | Software Product |
|---|---|
| 1. | Qlik Sense. |
| 2. | Cisco IOS XE WebUI. |
| 3. | Fortinet FortiOS & FortiProxy. |
Common Vulnerabilities & Exposures (CVEs).
Systems used for reporting and assessing the severity of security vulnerabilities.
| No. | System | Description |
|---|---|---|
| 1. | Common Vulnerabilities and Exposures (CVE). | The CVE system is used to identify, define, catalogue and publicly disclosed known information-security vulnerabilities and exposures. |
| 2. | The Common Vulnerability Scoring System (CVSS). | CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities. It provides a numerical (0-10) representation of the severity of an information security vulnerability. |
CVSSv3.0 Metrics.
| No. | Base Score Range | Severity |
|---|---|---|
| 1. | 0.0 | None |
| 2. | 0.1 - 3.9 | Low |
| 3. | 4.0 - 6.9 | Medium |
| 4. | 7.0 - 8.9 | High |
| 5. | 9.0 - 10.0 | Critical |
Problem
1. Qlik Sense Enterprise for Windows.
Qlik Sense is a data analysis and visualisation software. It operates with an associative QIX engine which enables the user to link and associate data from varied sources and carries out dynamic searching and selections. Qlik Sense serves as a data analytics platform for a wide range of users i.e. from non-technical to technical users. Qlik Sense utilises data visualization as it has augmented graphics making it possible to show and analyse data graphicaly.
In August 2023, Two (2) security vulnerabilities in Qlik Sense Enterprise for Windows were identified by Adam Crosser and Thomas Hendrickson of the Cybersecurity Company, Praetorian, based in Austin, Texas, USA. These vulnerabilities involved HTTP Tunneling and Path Traversal, It was also discovered if the two vulnerabilities are combined and successfully exploited, these issues could lead to a compromise of the server running the Qlik Sense software, including unauthenticated remote code execution (RCE).
On the 29th Aug 2023, the Qlik Software Company publicly disclosed CVE-2023-41265 and CVE-2023-41266, vulnerabilities in the Qlik Sense Enterprise for Windows.
On the 20th Sep 2023, The Qlik Software Company publicly disclosed CVE-2023-48365, another vulnerability in Qlik Sense Enterprise for Windows.
| No. | CVE Report | Vendor | Product | CVSSv3 |
|---|---|---|---|---|
| 1. | CVE-2023-41265 | Qlik Community. | Qlik Sense Enterprise for Windows. | 9.6 |
| 2. | CVE-2023-41266 | Qlik Community. | Qlik Sense Enterprise for Windows. | 8.2 |
| 3. | CVE-2023-48365 | Qlik Community. | Qlik Sense Enterprise for Windows. | 9.6 |
Cactus Ransomware Group - Indicators of Compromise (IoCs).
On the 25th April 2024, Willem Zeeman and Yun Zheng Hu of Fox-IT., part of the information assurance firm, NCC Group, based in Manchester, UK., in collaboration with a number of Dutch cyber security firms that had being researching the Cactus Ransomware Group, reported the group modus operandi of exploiting Qlik Sense systems for initial access which they have been actively targeting since November 2023.
Fox-IT together with their colleagues from the various Dutch cyber security firms discovered that the Cactus Ransomware Group use a particular method and technique for initial access to the Qlik Sense systems. Based upon these discoveries, Fox-IT., developed a fingerprinting technique to identify Qlik Sense systems that are vulnerable to this method and technique of initial access, and even more critically, which systems are already compromised.
Arctic Wolf Networks, the computer and network security company, based in Eden Prairie, Minnesota, USA., on the 28th Nov 2024 published a list of Indicators of Compromise (IoCs), they had observed, in their incident response (IR) investigation into the new Cactus Ransomware Group campaign which are reported to exploit publicly exposed installations of Qlik Sense Software.
| No. | Reported by | Description | Article - IOCs |
|---|---|---|---|
| 1. | Fox-IT. | The Cactus Ransomware Group are reported to redirect the output of executed commands to a True Type font file named qle.ttf, likely abbreviated for “qlik exploit”. In addition to the qle.ttf file, Fox-IT have also observed instances where qle.woff was used. These font files are not part of a default Qlik Sense server installation. Fox-IT discovered that files with a font file extension such as .ttf and .woff can be accessed without any authentication, regardless of whether the server is patched. This may explain why the Cactus ransomware group opted to store command output in font files within the fonts directory, which in turn, also serves as a useful Indicator Of Compromise (IoCs). | Fox-IT - Identifying Cactus ransomware victims |
| 2. | Arctic Wolf Labs. | The Cactus Ransomware Group are reported to leveraged PowerShell and the Background Intelligent Transfer Service (BITS) to download additional tools to establish persistence and ensure remote control, including Renamed ManageEngine UEMS executables, with a ZIP extension masquerading as Qlik files. These files were renamed again after being downloaded and invoked for silent installation. AnyDesk is downloaded directly from anydesk.com. A Plink (PuTTY Link) binary is downloaded and renamed to putty.exe. Current evidence revealed that RDP is used for lateral movement, WizTree disk space analyzer is downloaded, rclone (renamed as svchost.exe) is leveraged for data exfiltration. | ArcticWolf Labs - Qlik Sense Exploited in Cactus Ransomware Campaign |
Constituents are advised to take appropriate action in the event of having a host identified running Qlik Sense Enterprise for Windows in the CVEs - Compromised Website Report.
2. Cisco IOS XE WebUI - (WebUI) - Web User Interface.
The Cisco Internet-working Operating System (IOS) is a family of proprietary network operating systems used on several router and network switch models manufactured by Cisco Systems. The system is a package of routing, switching, internet-working, and telecommunications functions integrated into a multitasking operating system.
The Cisco IOS XE does not use the IOS as the operating system, instead it uses a Linux operating system where IOS runs as a separate process (daemon) on Linux. All system functions run as separate processes which has a number of advantages, namely multiprocessing, which means that the workload of processes can be shared across multiple CPUs. When a single process crashes, it no longer takes down the entire OS.
A Web user interface allows a user to interact with content or software running on a remote server or router through a Web browser. The content or Web page is downloaded from the Web server and the user can interact with this content in a Web browser, which acts as a client. The Cisco IOS XE Web User Interface (WebUI) is used to configured a router after it has been installed, to enable traffic to pass through the network, it is also provides network administrators with a single solution for provisioning, monitoring, and optimising devices.
On the 16th Oct 2023, Cisco Systems, Inc. publicly disclosed Common Vulnerability and Exposure (CVE) Report CVE-2023-20198, this is privilege escalation vulnerability in the Web User Interface (WebUI) feature of Cisco's IOS XE software affecting both physical and virtual devices that have the HTTP or HTTPS Server feature enabled. Exploitation of this vulnerability would allow a threat actor to obtain initial access and create a privileged account, which is then used to create a local user account with normal privileges. No software patches or updates were released on the date of disclosure due to ongoing investigation into observed exploitation of the Web User Interface (WebUI) feature in Cisco IOS XE Software in the wild. Cisco System, Inc have since released a number of fixed software releases.
On the 25th Oct 2023, Cisco Systems, Inc. publicly disclosed Common Vulnerability and Exposure (CVE) Report CVE-2023-20273, this is a command injection vulnerability in the Web User Interface (WebUI) feature of Cisco's IOS XE software. A threat actor who had obtained access and created a local user account with normal privileges through the exploitation of CVE-2023-20198, could then inject or run arbitrary commands with elevated (root) privileges, in the underlying operating system.
Cisco IOS XE WebUI - (WebUI) - Web User Interface - List of Publicly Disclosed CVEs.
| No. | CVE Report | Vendor | Product | CVSSv3 |
|---|---|---|---|---|
| 1. | CVE-2023-20198 | Cisco. | Cisco IOS XE Software. | 10.0 |
| 2. | CVE-2023-20273 | Cisco. | Cisco IOS XE Software. | 7.2 |
3. Fortinet FortiOS & FortiProxy.
Fortinet FortiOS is an operating system built on top of a modified version of the Linux kernel and the ext2 filesystem which is used by Fortinet in their hardware devices, such as the FortiGate firewall to access points including their Next-Generation Firewall (NGFW). , and switches.
Fortinet FortiProxy is a high-performance secure web proxy designed to protect networks from Internet-borne attacks by incorporating multiple detection techniques such as web filtering, DNS filtering, data loss prevention, antivirus, intrusion prevention, and advanced threat protection.
Fortinet VPN technology provides secure communications across the Internet between multiple networks and endpoints, through both Internet Protocol Security (IPsec) and Secure Socket Layer (SSL) technologies.
On the 10th April 2025, Fortinet Inc. , issued a communication:- Analysis of Threat Actor Activity which revealed that a threat actor had used a known vulnerability to implement read-only access to vulnerable FortiGate devices. This was achieved via creating a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN. This modification took place in the user filesystem and avoided detection. Therefore, if a constituent had applied the software patches released by Foritnet Inc., in response to the publicly disclosed CVEs', this symbolic link may have been left behind, allowing the threat actor to maintain read-only access to files on the device’s file system, which may include configurations.
Fortinet FortiOS & FortiProxy - List of Publicly Disclosed CVEs.
| No. | CVE Report | Vendor | Product | CVSSv3 |
|---|---|---|---|---|
| 1. | CVE-2022-42475 | Fortinet. | FortiProxy. | 9.8 |
| 2. | CVE-2023-27997 | Fortinet. | FortiOS-6K7K. | 9.2 |
| 3. | CVE-2024-21762 | Fortinet. | FortiProxy. | 9.8 |
Solution
Shadowserver Foundation - Compromised Website Report - Tag Index.
Note: The Shadowserver Foundation has included in the 'Tag' column of their report, a list of terms, which indicate the type of vulnerability associated with the specific host identified in the report.
| No. | Tag | Description |
|---|---|---|
| 1. | badcandy;device-implant;ssl | Attackers exploit vulnerabilities in Cisco IOS XE WebUI to create high-privilege accounts and install a Lua-based backdoor, resulting in the takeover of vulnerable devices. The BadCandy implant is based on the Lua programming language and consists of 29 lines of code that facilitates arbitrary command execution. The host targeted is using HTTPS. |
| 2. | badcandy;device-implant;http. | Attackers exploit vulnerabilities in Cisco IOS XE WebUI to create high-privilege accounts and install a Lua-based backdoor, resulting in the takeover of vulnerable devices. The BadCandyimplant is based on the Lua programming language and consists of 29 lines of code that facilitates arbitrary command execution. The host targeted is using HTTP. |
| 3. | qliksense;cve-2023-48365. | This indicates that the Qlik Sense Service is vulnerable to CVE-2023-48365. |
| 4. | injected-code;qliksense;ssl;webshell. | This indicates that the Qlik Sense Service is compromised. |
| 5. | fortinet-compromised;ssl. | This indicates that the Fortinet devices are compromised. This was achieved by the use of previously known but not patched vulnerabilities to deliver a symlink-based persistence mechanism. |
Recommendations.
| No. | Tag | Recommendations |
|---|---|---|
| 1. | badcandy;device-implant;ssl | Cisco has strongly recommended that their customers disable the HTTP Server feature on all internet-facing systems or restrict its access to trusted source addresses. Disabling the HTTP Server feature eliminates the attack vector for these vulnerabilities and may be a suitable mitigation until affected devices can be upgraded. Cisco has released IOS XE software versions 17.9, 17.6, 17.3 and 16.12 to patch CVE-2023-20198 & CVE-2023-20273. |
| 2. | badcandy;device-implant;http. | Cisco has strongly recommended that their customers disable the HTTP Server feature on all internet-facing systems or restrict its access to trusted source addresses. Disabling the HTTP Server feature eliminates the attack vector for these vulnerabilities and may be a suitable mitigation until affected devices can be upgraded. Cisco has released IOS XE software versions 17.9, 17.6, 17.3 and 16.12 to patch CVE-2023-20198 & CVE-2023-20273. |
| 3. | godzilla-webshell. | Users of both ActiveMQ Classic and ActiveMQ Artemis brokers are recommended to upgrade as are users of any Java-based OpenWire client (e.g. Maven dependency on activemq-client are recommended to upgrade to ActiveMQ Classic: 6.0.0, 5.18.3, 5.17.6, 5.16.7, 5.15.16 and to ActiveMQ Artemis: 2.31.2 |
| 4. | qliksense;cve-2023-48365. | Constituents are advised to read the article published by Fox-IT on the 25th April 2024 and the article published by Arctic Wolf Labs on the 28th Nov 2024, both articles contain details of the modus operandi of the Cactus Ransomware Group in exploiting Qlik Sense systems together with a list of Indicators of Compromise (IoCs). (See - Cactus Ransomware Group - Indicators of Compromise (IoCs) - above for links). |
| 5. | injected-code;qliksense;ssl;webshell. | Constituents are advised to disconnecting their network from the internet. This action will cut off the Cactus Ransomware Group access to the compromised computer preventing them from exfiltrating data. Disconnect backup devices from the compromised computer and protect all data backups. Switching the computer off, may destroy valuable forensic evidence, which may be required to establish how the computer and network security was breached. Change passwords for all login accounts on the network and cloud services using a computer on a seperate network. Investigate the incident to establish the facts, Consult with cyber security experts, if necessary. In the event of a crime, Constituents are advised to reported the incident to An Gardai Siochana. |
| 6. | fortinet-compromised:ssl. | Constituents, and in particular those that had enabled SSL-VPN on their ForiGate devices, are advised to carefully read the communication issued by Fortinet Inc., Analysis of Threat Actor Activity in response to the discovery of the implimentation of read-only access (Backdoor) in vulnerable FortiGate devices and to impliment fully the recommendations made by Fortinet Inc., which have released multiple FortOS mitigations in response to this discovery, highlighting the seriousness in which Fortinet Inc., view it. |
Compromised Website Report - List of Publicly Disclosed CVEs.
- Compromised Website Report - List of Publicly Disclosed CVEs in 2025
- Compromised Website Report - List of Publicly Disclosed CVEs in 2024
- Compromised Website Report - List of Publicly Disclosed CVEs in 2023
- Compromised Website Report - List of Publicly Disclosed CVEs in 2022
Additional Information
Cisco Security Advisory - Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature.CISCO Talos - Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities.
Rapid7 - CVE-2023-20198: Active Exploitation of Cisco IOS XE Zero-Day Vulnerability.
US CISA - Guidance for Addressing Cisco IOS XE Web UI.
ZeroQlik: Achieving Unauthenticated Remote Code Execution via HTTP Request Tunneling and Path Traversal.
Cybersecuritydive - Schneider Electric hit by ransomware attack against its sustainability business division.
RFC2616 - Hypertext Transfer Protocol -- HTTP/1.1.
Cyberveilig Nederland - Press release: Melissa partnership finds several Dutch victims of ransomware group Cactus.
Shadowserver Foundation - Accessible ActiveMQ Service Report.
Apache ActiveMQ Vulnerability Leads to Stealthy Godzilla Webshell.
Fortinet - Analysis of Threat Actor Activity
Integrity360 - Threat Advisory: critical zero-day vulnerability in Fortinet's FortiOS and FortiProxy products.