This Cybersecurity Advisory (CSA) outlines the most common vulnerabilities and exposures (CVEs) used by state-sponsored cyber actors from the People’s Republic of China (PRC) since 2020, as assessed by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI).
PRC state-sponsored cyber actors are continuing to exploit known vulnerabilities to actively target U.S. and allied networks, as well as software and hardware companies, in order to steal intellectual property and gain access to sensitive networks.
Objective:
This advisory was created by the NSA, the CISA, and the FBI to further their cybersecurity missions and responsibilities, including developing and issuing cybersecurity specifications and mitigations. This information can be shared broadly to reach all appropriate stakeholders.
Top CVEs most used by Chinese state-sponsored cyber actors since 2020 are listed below:
CVE-2021-44228
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in the configuration, log messages, and parameters do not protect against malicious actor-controlled LDAP and other JNDI related endpoints.
Vulnerability Type: Remote Code Execution
Vulnerable Technologies and Versions: There are numerous vulnerable technologies and versions associated with CVE-2021-44228.
CVE-2019-11510
This vulnerability has been modified since NVD last analyzed it. It is awaiting reanalysis, which may result in further changes to the information provided. In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote malicious actor could send a specially crafted URI to perform an arbitrary file reading vulnerability.
Vulnerability Type: Arbitrary File Read
Vulnerable Technologies and Versions: Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
CVE-2021-22205
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files passed to a file parser, which resulted in remote command execution.
Vulnerability Type: Remote Code Execution
Vulnerable Technologies and Versions: Gitlab CE/EE.
CVE-2022-26134
In affected versions of the Confluence Server and Data Center, an OGNL injection vulnerability exists that could allow an unauthenticated malicious actor to execute arbitrary code on a Confluence Server or Data Center instance.
Vulnerability Type: Remote Code Execution
Vulnerable Technologies and Versions:
- All supported versions of Confluence Server and Data Center
- Confluence Server and Data Center versions after 1.3.0
CVE-2021-26855
Microsoft has released security updates for Windows Exchange Server which, if exploited, could allow an authenticated malicious actor to send malicious requests to the server. If successful, the actor could execute arbitrary code and compromise the affected system. These vulnerabilities could allow an adversary to obtain sensitive information, bypass security restrictions, cause a denial of service, and/or perform unauthorized actions on the affected Exchange server, which could enable further malicious activity.
Vulnerability Type: Remote Code Execution
Vulnerable Technologies and Versions: Microsoft Exchange 2013, 2016, and 2019
CVE-2020-5902
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1- 11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
Vulnerability Type: Remote Code Execution
Vulnerable Technologies and Versions:
- F5 Big-IP Access Policy Manager
- F5 Big-IP Advanced Firewall Manager
- F5 Big-IP Advanced Web Application Firewall
- F5 Big-IP Analytics
- F5 Big-IP Application Acceleration Manager
- F5 Big-IP Application Security Manager
- F5 Big-IP DDoS Hybrid Defender
- F5 Big-IP Domain Name System (DNS)
- F5 Big-IP Fraud Protection Service (FPS)
- F5 Big-IP Global Traffic Manager (GTM)
- F5 Big-IP Link Controller
- F5 Networks Big-IP Local Traffic Manager (LTM)
- F5 Big-IP Policy Enforcement Manager (PEM)
- F5 SSL Orchestrator
CVE-2021-22005
The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on the vCenter Server may exploit this issue to execute code on the vCenter Server by uploading a specially crafted file.
Vulnerability Type: Arbitrary File Upload
Vulnerable Technologies and Versions:
- VMware Cloud Foundation
- VMware VCenter Server
CVE-2019-19781
This vulnerability has been modified since NVD last analyzed it. It is awaiting reanalysis, which may result in further changes to the information provided. An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
Vulnerability Type: Path Traversal
Vulnerable Technologies and Versions: Citrix ADC, Gateway, and SD-WAN WANOP
CVE-2021-1497
Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote malicious actor to perform a command injection against an affected device.
Vulnerability Type: Command Line Execution
Vulnerable Technologies and Versions: Cisco Hyperflex Hx Data Platform 4.0(2A)
CVE-2021-20090
A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote malicious actors to bypass authentication.
Vulnerability Type: Relative Path Traversal
Vulnerable Technologies and Versions:
- Buffalo Wsr-2533Dhpl2-Bk Firmware
- Buffalo Wsr-2533Dhp3-Bk Firmware
CVE-2021-26084
In affected versions of the Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated malicious actor to execute arbitrary code on a Confluence Server or Data Center instance.
Vulnerability Type: Remote Code Execution
Vulnerable Technologies and Versions:
- Atlassian Confluence
- Atlassian Confluence Server
- Atlassian Data Center
- Atlassian Jira Data Center
CVE-2021-36260
This vulnerability has changed since the NVD last analyzed it. It is awaiting reanalysis, which may result in more changes to the information provided. A command injection vulnerability exists in the web server of some Hikvision products. Due to insufficient input validation, a malicious actor can exploit the vulnerability to launch a command injection by sending messages with malicious commands.
Vulnerability Type: Command Injection
Vulnerable Technologies and Versions: Various Hikvision Firmware to include Ds, Ids, and Ptz
CVE-2021-42237
Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.
Vulnerability Type: Remote Code Execution
Vulnerable Technologies and Versions:
- Sitecore Experience Platform 7.5, 7.5 Update 1, and 7.5 Update 2
- Sitecore Experience Platform 8.0, 8.0 Service Pack 1, and 8.0 Update 1-Update 7
- Sitecore Experience Platform 8.0 Service Pack 1
- Sitecore Experience Platform 8.1, and Update 1-Update 3
- Sitecore Experience Platform 8.2, and Update 1-Update 7
CVE-2022-1388
This vulnerability has been modified since NVD last analyzed it. It is awaiting reanalysis, which may result in further changes to the information provided. On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication.
Vulnerability Type: Remote Code Execution
Vulnerable Technologies and Versions:
Big IP versions:
- 16.1.0-16.1.2
- 15.1.0-15.1.5
- 14.1.0-14.1.4
- 13.1.0-13.1.4
- 12.1.0-12.1.6
- 11.6.1-11.6.5
CVE-2022-24112
A malicious actor could exploit the batch-requests plugin to bypass the IP restrictions on the Admin API. The default configuration of Apache APISIX (with the default API key) is vulnerable to remote code execution. If the admin key is changed or the port of the Admin API is changed to a port different from the data panel, the impact is reduced. However, there is still a risk of bypassing the IP restrictions on Apache APISIX’s data panel. There is a check in the batch-requests plugin that overrides the client IP with its real remote IP. However, this check can be bypassed due to a bug in the code.
Vulnerability Type: Authentication Bypass by Spoofing
Vulnerable Technologies and Versions:
- Apache APISIX between 1.3 and 2.12.1 (excluding 2.12.1)
- LTS versions of Apache APISIX between 2.10.0 and 2.10.4
CVE-2021-40539
Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.
Vulnerability Type: Remote Code Execution
Vulnerable Technologies and Versions: Zoho Corp ManageEngine ADSelfService Plus
CVE-2021-26857
Microsoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021- 26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021- 27078
Vulnerability Type: Remote Code Execution
Vulnerable Technologies and Versions: Microsoft Exchange Servers
CVE-2021-26858
Microsoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021- 26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021- 27078.
Vulnerability Type: Remote Code Execution
Vulnerable Technologies and Versions: Microsoft Exchange Servers
CVE-2021-27065
Microsoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021- 26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021- 27078.
Vulnerability Type: Remote Code Execution
Vulnerable Technologies and Versions: Microsoft Exchange Servers
CVE-2021-41773
This vulnerability has been modified since NVD last analyzed it. It is awaiting reanalysis, which may result in further changes to the information provided. A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49.
Vulnerability Type: Path Traversal
Vulnerable Technologies and Versions:
- Apache HTTP Server 2.4.49 and 2.4.50
- Fedoraproject Fedora 34 and 35
- Oracle Instantis Enterprise Track 17.1-17.3
- Netapp Cloud Backup
