A list of top vulnerabilities exploited by Chinese state-sponsored groups, recently released by the U.S. government, shows that sophisticated threat actors continue to rely unfettered on unpatched devices vulnerable to flaws that are sometimes years old.

The advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the NSA and FBI, shows the top CVEs used since 2020 by Chinese threat actors to gain initial access to sensitive networks, including well-known flaws like Log4j (CVE-2021-44228), bugs linked to ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065) and more.

“PRC [People's Republic of China] state-sponsored cyber actors continue to exploit known vulnerabilities and use publicly available tools to target networks of interest,” according to the Thursday advisory. “NSA, CISA, and FBI assess PRC state-sponsored cyber actors have actively targeted U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks.”

Among the most exploited flaws include an Atlassian Confluence flaw (CVE-2022-26134) that could enable an unauthenticated attacker to execute arbitrary code, a bug in Zoho’s ManageEngine ADSelfService Plus (CVE-2021-40539) and a F5 BIG-IP remote code execution flaw (CVE-2020-5902). While many popular flaws on the list have been disclosed this past year, several vulnerabilities were up to three years old, such as a critical arbitrary file disclosure vulnerability in Pulse Secure’s SSL VPN solution (CVE-2019-11510) and a Citrix ADC path traversal bug (CVE-2019-19781).

Satnam Narang, senior staff research engineer at Tenable, said the advisory shows that many state-sponsored threat actors (including those linked to China) continue to exploit legacy vulnerabilities to gain initial access to organizations. Patch management has been a pain point for enterprises, and attackers are increasingly taking advantage of devices that have not been updated, as seen in a threat report released this week by Secureworks. The report found that the exploitation of vulnerabilities in internet-facing systems has become the most common initial access vector observed, signifying a marked change from 2021, when the dominant initial access vector was the use of stolen credentials.

“Known, legacy vulnerabilities are habitually exploited by threat actors of all types, whether they’re average cybercriminals, initial access brokers, ransomware affiliates to advanced persistent threat actors,” said Narang. “The barrier to entry for exploiting these flaws is low, as there are a plethora of public proof-of-concept exploits that are easily accessible. Couple that with the fact that many of these flaws remain unpatched across the world and these threat actors have found a recipe for success.”

The continued presence of several vulnerabilities in this most recent advisory demonstrates how patching remains a challenge, said Narang, pointing out that three of the flaws listed in this more recent advisory (CVE-2019-11510, CVE-2019-19781, and CVE-2020-5902) were also listed in an advisory by the NSA published back in October 2020 about CVEs being exploited by Chinese state-sponsored actors.

“While it might seem like patching is really straightforward, more often than not it’s not so simple, especially when critical business functions rely on certain applications remaining online and some businesses simply can’t afford the downtime associated with patching,” said Narang. “That said, addressing these vulnerabilities is vital for an organization’s overall security posture, so making the time is essential.”