CVE-2025-61138 is an information disclosure vulnerability identified in Qlik Sense Enterprise version 14.212.13. The flaw resides in the /dev-hub/ directory, which inadvertently exposes sensitive information to unauthenticated remote attackers. The vulnerability is classified under CWE-538, which pertains to information exposure through directory listings or misconfigurations. The CVSS v3.1 base score is 7.5, indicating high severity, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This means the attack can be performed remotely over the network without any privileges or user interaction, and it results in a high impact on confidentiality, while integrity and availability remain unaffected. The vulnerability likely stems from improper access controls or directory listing permissions on the /dev-hub/ path, allowing attackers to retrieve sensitive configuration files, credentials, or other business intelligence data stored within the directory. Although no exploits have been reported in the wild, the straightforward nature of the attack and the criticality of the exposed data make this a significant threat. The absence of a patch at the time of publication necessitates immediate attention to access controls and monitoring. Qlik Sense Enterprise is widely used in enterprise environments for data analytics and business intelligence, making the confidentiality breach particularly damaging as it could lead to exposure of proprietary or personal data.

For European organizations, the impact of CVE-2025-61138 is primarily the unauthorized disclosure of sensitive business intelligence and potentially personal data. This can lead to competitive disadvantage, regulatory non-compliance (notably GDPR), reputational damage, and potential legal liabilities. Since Qlik Sense Enterprise is used extensively across sectors such as finance, manufacturing, and public administration in Europe, the exposure of confidential dashboards, reports, or underlying data sources could have severe consequences. The vulnerability does not affect system integrity or availability, so operational disruption is unlikely; however, the confidentiality breach alone is critical. The ease of exploitation without authentication increases the risk of widespread scanning and data harvesting by threat actors. Organizations handling sensitive or regulated data are particularly at risk, as data leakage could trigger regulatory investigations and fines under GDPR. The lack of known exploits in the wild currently provides a window for mitigation, but the threat landscape could rapidly evolve.

1. Immediately restrict access to the /dev-hub/ directory by configuring web server permissions to deny unauthenticated or unauthorized requests. 2. Implement network segmentation and firewall rules to limit external access to Qlik Sense Enterprise management interfaces and development hubs. 3. Monitor web server logs and network traffic for unusual access patterns targeting the /dev-hub/ path. 4. Employ web application firewalls (WAFs) with custom rules to block requests attempting to enumerate or access sensitive directories. 5. Review and harden Qlik Sense Enterprise configuration settings to disable unnecessary directory listings or developer features in production environments. 6. Engage with Qlik support or vendors to obtain patches or official remediation guidance as soon as they become available. 7. Conduct internal audits of data exposed via the /dev-hub/ directory to assess the scope of potential leakage and inform incident response plans. 8. Educate IT and security teams about the vulnerability and ensure rapid response capabilities for any detected exploitation attempts.