CISA to infosec: here’s China’s hit-list, why haven’t you patched?

America’s Cybersecurity and Infrastructure Security Agency (CISA) has assembled a list of 20 vulnerabilities actively exploited by state-sponsored actors from China since 2020.

Given its supply-chain impact on other software packages, it’s little surprise the Apache Log4J vulnerability (CVE-2021-44228) leads the list.

Apache has two other CVEs on the list: CVE-2022-24112 (an authentication bypass), and CVE-2021-41773 (a path traversal bug in the HTTP server).

Microsoft made the list four times, with remote code execution (RCE) bugs in Exchange (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065).

Atlassian appears twice, via RCE bugs in its Confluence product (CVE-2022-26134 and CVE-2021-26084).

In all, there are 12 RCE bugs in the top 20 list.

Patches and mitigations are available for all the vulnerabilities on the list, so if they’re actively exploited, it’s because users haven’t applied the patches yet.

CISA said the attackers use VPNs to obfuscate their activities, and “target web-facing applications to establish initial access.

“Many of the CVEs indicated in Table 1 allow the actors to surreptitiously gain unauthorized access into sensitive networks, after which they seek to establish persistence and move laterally to other internally connected networks.”

The list was put together by CISA, the NSA and the FBI.