CVE-2025-61138 is a vulnerability identified in Qlik Sense Enterprise version 14.212.13 that results in an information leak through the /dev-hub/ directory. The /dev-hub/ directory is part of the Qlik Sense Enterprise web interface, which is used for managing and developing business intelligence applications. The information leak could allow an unauthenticated attacker to retrieve sensitive data such as configuration files, internal API endpoints, or other metadata that could facilitate further attacks or reconnaissance. The vulnerability was reserved on September 26, 2025, and published on November 20, 2025, but no CVSS score or patch has been released as of now. There are no known exploits in the wild, but the lack of authentication requirements and the nature of the exposed data increase the risk. The absence of detailed technical information limits the full understanding of the data exposed, but information disclosure vulnerabilities generally compromise confidentiality and can serve as a stepping stone for privilege escalation or lateral movement within a network. Qlik Sense Enterprise is widely used by enterprises for data analytics and visualization, making this vulnerability significant for organizations relying on it for critical business operations.

For European organizations, the impact of CVE-2025-61138 could be substantial, particularly for those in sectors such as finance, manufacturing, telecommunications, and government that rely heavily on Qlik Sense Enterprise for data analytics. The information leak could expose sensitive configuration details, user data, or internal endpoints, potentially enabling attackers to conduct further targeted attacks, including privilege escalation or data exfiltration. Confidentiality is primarily affected, but the integrity and availability of the system could be indirectly impacted if attackers leverage the leaked information to compromise the environment. The vulnerability's exploitation does not require authentication or user interaction, increasing the attack surface and risk. Organizations with regulatory obligations under GDPR must consider the potential for data breaches and the associated legal and reputational consequences. The lack of a patch means organizations must rely on compensating controls until an official fix is available.

European organizations should immediately review and restrict access permissions to the /dev-hub/ directory on Qlik Sense Enterprise servers, ensuring it is not publicly accessible or exposed to unauthorized users. Implement network-level controls such as firewalls or web application firewalls (WAFs) to block or monitor requests targeting the /dev-hub/ path. Conduct thorough logging and monitoring of access attempts to detect suspicious activity early. Limit administrative and developer access to trusted personnel and enforce strong authentication mechanisms. Segregate Qlik Sense Enterprise environments from critical infrastructure where possible to reduce lateral movement risk. Prepare for rapid deployment of patches once released by Qlik, and maintain communication with Qlik support channels for updates. Additionally, perform internal audits to identify any data that may have been exposed and assess potential impacts. Consider implementing intrusion detection systems (IDS) tuned to detect reconnaissance or exploitation attempts related to this vulnerability.