On 18 August 2021, DIVD discovered a timing attack vulnerability. This vulnerability can be abused for domain user enumeration. As of November 2021, this vulnerability has been solved by the vendor. CVE-2022-0564 has been assigned to this vulnerability. Affected systems are only vulnerable if they have LDAP configured.
What you can do
Update Qlik Sense Enterprise to the latest version available.
Disable internet-facing NTLM endpoints, e.g. internal_windows_authentication, to avoid domain enumeration.
What we are doing
We are scanning the internet for vulnerable Qlik Sense Enterprise servers, and will notify system owners via the listed abuse contacts.