{
	"id": "fe1c0feb-6013-43cc-b5d7-7919dc2fe6e9",
	"created_at": "2026-04-06T03:36:58.924718Z",
	"updated_at": "2026-04-10T03:35:48.496488Z",
	"deleted_at": null,
	"sha1_hash": "31e20f91545b2fd754ac6f0b8e2fc6bcf79826bc",
	"title": "Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 107171,
	"plain_text": "Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors | CISA\r\nPublished: 2022-10-06 · Archived: 2026-04-06 03:26:21 UTC\r\nSummary\r\nThis joint Cybersecurity Advisory (CSA) provides the top Common Vulnerabilities and Exposures (CVEs) used\r\nsince 2020 by People’s Republic of China (PRC) state-sponsored cyber actors as assessed by the National Security\r\nAgency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation\r\n(FBI). PRC state-sponsored cyber actors continue to exploit known vulnerabilities to actively target U.S. and\r\nallied networks as well as software and hardware companies to steal intellectual property and develop access into\r\nsensitive networks.\r\nThis joint CSA builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal and\r\nterritorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private\r\nsector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).\r\nNSA, CISA, and FBI urge U.S. and allied governments, critical infrastructure, and private sector organizations to\r\napply the recommendations listed in the Mitigations section and Appendix A to increase their defensive posture\r\nand reduce the threat of compromise from PRC state-sponsored malicious cyber actors.\r\nFor more information on PRC state-sponsored malicious cyber activity, see CISA’s China Cyber Threat Overview\r\nand Advisories webpage, FBI’s Industry Alerts, and NSA’s Cybersecurity Advisories \u0026 Guidance. \r\nDownload the PDF version of this report: pdf, 409 KB\r\nTechnical Details\r\nNSA, CISA, and FBI continue to assess PRC state-sponsored cyber activities as being one of the largest and most\r\ndynamic threats to U.S. government and civilian networks. PRC state-sponsored cyber actors continue to target\r\ngovernment and critical infrastructure networks with an increasing array of new and adaptive techniques—some\r\nof which pose a significant risk to Information Technology Sector organizations (including telecommunications\r\nproviders), Defense Industrial Base (DIB) Sector organizations, and other critical infrastructure organizations.\r\nPRC state-sponsored cyber actors continue to exploit known vulnerabilities and use publicly available tools to\r\ntarget networks of interest. NSA, CISA, and FBI assess PRC state-sponsored cyber actors have actively targeted\r\nU.S. and allied networks as well as software and hardware companies to steal intellectual property and develop\r\naccess into sensitive networks. See Table 1 for the top used CVEs.\r\nTable I: Top CVEs most used by Chinese state-sponsored cyber actors since 2020\r\nVendor CVE Vulnerability Type\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-279a\r\nPage 1 of 15\n\nApache Log4j CVE-2021-44228 Remote Code Execution\r\nPulse Connect Secure CVE-2019-11510 Arbitrary File Read\r\nGitLab CE/EE CVE-2021-22205 Remote Code Execution\r\nAtlassian CVE-2022-26134 Remote Code Execution\r\nMicrosoft Exchange CVE-2021-26855 Remote Code Execution\r\nF5 Big-IP CVE-2020-5902 Remote Code Execution\r\nVMware vCenter Server CVE-2021-22005 Arbitrary File Upload\r\nCitrix ADC CVE-2019-19781 Path Traversal\r\nCisco Hyperflex CVE-2021-1497 Command Line Execution\r\nBuffalo WSR CVE-2021-20090 Relative Path Traversal\r\nAtlassian Confluence Server and Data Center CVE-2021-26084 Remote Code Execution\r\nHikvision Webserver CVE-2021-36260 Command Injection\r\nSitecore XP CVE-2021-42237 Remote Code Execution\r\nF5 Big-IP CVE-2022-1388 Remote Code Execution\r\nApache CVE-2022-24112 Authentication Bypass by Spoofing\r\nZOHO CVE-2021-40539 Remote Code Execution\r\nMicrosoft CVE-2021-26857 Remote Code Execution\r\nMicrosoft CVE-2021-26858 Remote Code Execution\r\nMicrosoft CVE-2021-27065 Remote Code Execution\r\nApache HTTP Server CVE-2021-41773 Path Traversal\r\nThese state-sponsored actors continue to use virtual private networks (VPNs) to obfuscate their activities and\r\ntarget web-facing applications to establish initial access. Many of the CVEs indicated in Table 1 allow the actors\r\nto surreptitiously gain unauthorized access into sensitive networks, after which they seek to establish persistence\r\nand move laterally to other internally connected networks. For additional information on PRC state-sponsored\r\ncyber actors targeting network devices, please see People’s Republic of China State-Sponsored Cyber Actors\r\nExploit Network Providers and Devices.\r\nMitigations\r\nNSA, CISA, and FBI urge organizations to apply the recommendations below and those listed in Appendix A.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-279a\r\nPage 2 of 15\n\nUpdate and patch systems as soon as possible. Prioritize patching vulnerabilities identified in this CSA and\r\nother known exploited vulnerabilities.\r\nUtilize phishing-resistant multi-factor authentication whenever possible. Require all accounts with\r\npassword logins to have strong, unique passwords, and change passwords immediately if there are\r\nindications that a password may have been compromised.\r\nBlock obsolete or unused protocols at the network edge.\r\nUpgrade or replace end-of-life devices.\r\nMove toward the Zero Trust security model.\r\nEnable robust logging of Internet-facing systems and monitor the logs for anomalous activity.\r\n \r\nAppendix A\r\nTable II: Apache CVE-2021-44228\r\nApache CVE-2021-44228 CVSS 3.0: 10 (Critical)\r\nVulnerability Description\r\nApache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features\r\nused in configuration, log messages, and parameters do not protect against malicious actor controlled LDAP\r\nand other JNDI related endpoints. A malicious actor who can control log messages or log message parameters\r\ncould execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From\r\nlog4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and\r\n2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core\r\nand does not affect log4net, log4cxx, or other Apache Logging Services projects.\r\nRecommended Mitigations\r\nApply patches provided by vendor and perform required system updates.\r\nDetection Methods\r\nSee vendor’s Guidance For Preventing, Detecting, and Hunting for Exploitation of the Log4j 2\r\nVulnerability .\r\nVulnerable Technologies and Versions\r\nThere are numerous vulnerable technologies and versions associated with CVE-2021-44228. For a full list,\r\ncheck https://nvd.nist.gov/vuln/detail/CVE-2021-44228.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-279a\r\nPage 3 of 15\n\nTable III: Pulse CVE-2019-11510\r\nPulse CVE-2019-11510 CVSS 3.0: 10 (Critical)\r\nVulnerability Description\r\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which\r\nmay result in further changes to the information provided. In Pulse Secure Pulse Connect Secure (PCS)\r\n8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote malicious actor\r\ncould send a specially crafted URI to perform an arbitrary file reading vulnerability.\r\nRecommended Mitigations\r\nApply patches provided by vendor and perform required system updates.\r\nDetection Methods\r\nUse CISA’s “Check Your Pulse” Tool.\r\nVulnerable Technologies and Versions\r\nPulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4\r\nTable IV: GitLab CVE-2021-22205\r\nGitLab CVE-2021-22205 CVSS 3.0: 10 (Critical)\r\nVulnerability Description\r\nAn issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not\r\nproperly validating image files passed to a file parser, which resulted in a remote command execution.\r\nRecommended Mitigations\r\nUpdate to 12.10.3, 13.9.6, and 13.8.8 for GitLab.\r\nHotpatch is available via GitLab.\r\nDetection Methods\r\nInvestigate logfiles.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-279a\r\nPage 4 of 15\n\nCheck GitLab Workhorse.\r\nVulnerable Technologies and Versions\r\nGitlab CE/EE.\r\nTable V: Atlassian CVE-2022-26134\r\nAtlassian CVE-2022-26134 CVSS 3.0: 9.8 (Critical)\r\nVulnerability Description\r\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that could\r\nallow an unauthenticated malicious actor to execute arbitrary code on a Confluence Server or Data Center\r\ninstance. The affected versions are from 1.3.0 before 7.4.17, 7.13.0 before 7.13.7, 7.14.0 before 7.14.3, 7.15.0\r\nbefore 7.15.2, 7.16.0 before 7.16.4, 7.17.0 before 7.17.4, and 7.18.0 before 7.18.1.\r\nRecommended Mitigations \r\nImmediately block all Internet traffic to and from affected products AND apply the update per vendor\r\ninstructions.\r\nEnsure Internet-facing servers are up-to-date and have secure compliance practices.\r\nShort term workaround is provided here .\r\nDetection Methods\r\nN/A\r\nVulnerable Technologies and Versions\r\nAll supported versions of Confluence Server and Data Center\r\nConfluence Server and Data Center versions after 1.3.0\r\nTable VI: Microsoft CVE-2021-26855\r\nMicrosoft CVE-2021-26855                                                     CVSS 3.0: 9.8 (Critical)\r\nVulnerability Description\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-279a\r\nPage 5 of 15\n\nMicrosoft has released security updates for Windows Exchange Server. To exploit these vulnerabilities, an\r\nauthenticated malicious actor could send malicious requests to an affected server. A malicious actor  who\r\nsuccessfully exploited these vulnerabilities would execute arbitrary code and compromise the affected\r\nsystems. If successfully exploited, these vulnerabilities could allow an adversary to obtain access to sensitive\r\ninformation, bypass security restrictions, cause a denial of service conditions, and/or perform unauthorized\r\nactions on the affected Exchange server, which could aid in further malicious activity.\r\nRecommended Mitigations\r\nApply the appropriate Microsoft Security Update.\r\nMicrosoft Exchange Server 2013 Cumulative Update 23 (KB5000871)\r\nMicrosoft Exchange Server 2016 Cumulative Update 18 (KB5000871)\r\nMicrosoft Exchange Server 2016 Cumulative Update 19 (KB5000871)\r\nMicrosoft Exchange Server 2019 Cumulative Update 7 (KB5000871)\r\nMicrosoft Exchange Server 2019 Cumulative Update 8 (KB5000871)\r\nRestrict untrusted connections.\r\nDetection Methods\r\nAnalyze Exchange product logs for evidence of exploitation.\r\nScan for known webshells.\r\nVulnerable Technologies and Versions\r\nMicrosoft Exchange 2013, 2016, and 2019.\r\nTable VII: F5 CVE-2020-5902\r\nTable VIII: VMware CVE-2021-22005\r\nVMware CVE-2021-22005 CVSS 3.0: 9.8 (Critical)\r\nVulnerability Description\r\nThe vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor\r\nwith network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server\r\nby uploading a specially crafted file.\r\nRecommended Mitigations\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-279a\r\nPage 6 of 15\n\nApply Vendor Updates.\r\nDetection Methods\r\nN/A\r\nVulnerable Technologies and Versions\r\nVMware Cloud Foundation\r\nVMware VCenter Server\r\nTable IX: Citrix CVE-2019-19781\r\nCitrix CVE-2019-19781 CVSS 3.0: 9.8 (Critical)\r\nVulnerability Description\r\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which\r\nmay result in further changes to the information provided. An issue was discovered in Citrix Application\r\nDelivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.\r\nRecommended Mitigations\r\nApply vendor mitigations .\r\nUse the CTX269180 - CVE-2019-19781 Verification Tool provided by Citrix.\r\nDetection Methods\r\nN/A\r\nVulnerable Technologies and Versions\r\nCitrix ADC, Gateway, and SD-WAN WANOP\r\nTable X: Cisco CVE-2021-1497\r\nCisco CVE-2021-1497 CVSS 3.0: 9.8 (Critical)\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-279a\r\nPage 7 of 15\n\nVulnerability Description\r\nMultiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an\r\nunauthenticated, remote malicious actor to perform a command injection against an affected device. For more\r\ninformation about these vulnerabilities, see the Technical details section of this advisory.\r\nRecommended Mitigations\r\nApply Cisco software updates.\r\nDetection Methods\r\nLook at the Snort Rules provided by Cisco.\r\nVulnerable Technologies and Versions\r\nCisco Hyperflex Hx Data Platform 4.0(2A)\r\nTable XI: Buffalo CVE-2021-20090\r\nBuffalo CVE-2021-20090 CVSS 3.0: 9.8 (Critical)\r\nVulnerability Description\r\nA path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version \u003c= 1.02\r\nand WSR-2533DHP3 firmware version \u003c= 1.24 could allow unauthenticated remote malicious actors to\r\nbypass authentication.\r\nRecommended Mitigations\r\nUpdate firmware to latest available version.\r\nDetection Methods\r\nN/A\r\nVulnerable Technologies and Versions\r\nBuffalo Wsr-2533Dhpl2-Bk Firmware\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-279a\r\nPage 8 of 15\n\nBuffalo Wsr-2533Dhp3-Bk Firmware\r\nTable XII: Atlassian CVE-2021-26084\r\nAtlassian CVE-2021-26084 CVSS 3.0: 9.8 (Critical)\r\nVulnerability Description\r\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would\r\nallow an unauthenticated malicious actor to execute arbitrary code on a Confluence Server or Data Center\r\ninstance. The affected versions are before version 6.13.23 and from version 6.14.0 before 7.4.11, version 7.5.0\r\nbefore 7.11.6, and version 7.12.0 before 7.12.5.\r\nRecommended Mitigations\r\nUpdate confluence version to 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0.\r\nAvoid using end-of-life devices.\r\nUse Intrusion Detection Systems (IDS).\r\nDetection Methods\r\nN/A\r\nVulnerable Technologies and Versions\r\nAtlassian Confluence\r\nAtlassian Confluence Server\r\nAtlassian Data Center\r\nAtlassian Jira Data Center\r\nTable XIII: Hikvision CVE-2021-36260\r\nHikvision CVE-2021-36260 CVSS 3.0: 9.8 (Critical)\r\nVulnerability Description\r\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which\r\nmay result in further changes to the information provided. A command injection vulnerability exists in the\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-279a\r\nPage 9 of 15\n\nweb server of some Hikvision products. Due to the insufficient input validation, a malicious actor can exploit\r\nthe vulnerability to launch a command injection by sending some messages with malicious commands.\r\nRecommended Mitigations\r\nApply the latest firmware updates.\r\nDetection Methods\r\nN/A\r\nVulnerable Technologies and Versions\r\nVarious Hikvision Firmware to include Ds, Ids, and Ptz\r\nReferences\r\nhttps://www.cisa.gov/uscert/ncas/current-activity/2021/09/28/rce-vulnerability-hikvision-cameras-cve-2021-\r\n36260  \r\nTable XIV: Sitecore CVE-2021-42237\r\nSitecore CVE-2021-42237 CVSS 3.0: 9.8 (Critical)\r\nVulnerability Description\r\nSitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack\r\nwhere it is possible to achieve remote command execution on the machine. No authentication or special\r\nconfiguration is required to exploit this vulnerability.\r\nRecommended Mitigations\r\nUpdate to latest version.\r\nDelete the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx.\r\nDetection Methods\r\nN/A\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-279a\r\nPage 10 of 15\n\nVulnerable Technologies and Versions\r\nSitecore Experience Platform 7.5, 7.5 Update 1, and 7.5 Update 2\r\nSitecore Experience Platform 8.0, 8.0 Service Pack 1, and 8.0 Update 1-Update 7\r\nSitecore Experience Platform 8.0 Service Pack 1\r\nSitecore Experience Platform 8.1, and  Update 1-Update 3\r\nSitecore Experience Platform 8.2, and Update 1-Update 7\r\nTable XV: F5 CVE-2022-1388\r\nF5 CVE-2022-1388 CVSS 3.0: 9.8 (Critical)\r\nVulnerability Description\r\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which\r\nmay result in further changes to the information provided. On F5 BIG-IP 16.1.x versions prior to 16.1.2.2,\r\n15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all\r\n12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software\r\nversions which have reached End of Technical Support (EoTS) are not evaluated.\r\nRecommended Mitigations\r\nBlock iControl REST access through the self IP address.\r\nBlock iControl REST access through the management interface.\r\nModify the BIG-IP httpd configuration.\r\nDetection Methods\r\nN/A\r\nVulnerable Technologies and Versions\r\nBig IP versions:\r\n16.1.0-16.1.2\r\n15.1.0-15.1.5\r\n14.1.0-14.1.4\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-279a\r\nPage 11 of 15\n\n13.1.0-13.1.4\r\n12.1.0-12.1.6\r\n11.6.1-11.6.5\r\nTable XVI: Apache CVE-2022-24112\r\nApache CVE-2022-24112 CVSS 3.0: 9.8 (Critical)\r\nVulnerability Description\r\nA malicious actor can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin\r\nAPI. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution.\r\nWhen the admin key was changed or the port of Admin API was changed to a port different from the data\r\npanel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel.\r\nThere is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a\r\nbug in the code, this check can be bypassed.\r\nRecommended Mitigations\r\nIn affected versions of Apache APISIX, you can avoid this risk by explicitly commenting out batch-requests in the conf/config.yaml and conf/config-default.yaml files and restarting Apache APISIX.\r\nUpdate to 2.10.4 or 2.12.1.\r\nDetection Methods\r\nN/A\r\nVulnerable Technologies and Versions\r\nApache APISIX between 1.3 and 2.12.1 (excluding 2.12.1)\r\nLTS versions of Apache APISIX between 2.10.0 and 2.10.4\r\nTable XVII: ZOHO CVE-2021-40539\r\nZOHO CVE-2021-40539 CVSS 3.0: 9.8 (Critical)\r\nVulnerability Description\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-279a\r\nPage 12 of 15\n\nZoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication\r\nbypass with resultant remote code execution.\r\nRecommended Mitigations\r\nUpgrade to latest version.\r\nDetection Methods\r\nRun ManageEngine’s detection tool.\r\nCheck for specific files and logs .\r\nVulnerable Technologies and Versions\r\nZoho Corp ManageEngine ADSelfService Plus\r\nTable XVIII: Microsoft CVE-2021-26857\r\nMicrosoft CVE-2021-26857 CVSS 3.0: 7.8 (High)\r\nVulnerability Description\r\nMicrosoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412,\r\nCVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078.\r\nRecommended Mitigations\r\nUpdate to support latest version.\r\nInstall Microsoft security patch.\r\nUse Microsoft Exchange On-Premises Mitigation Tool.\r\nDetection Methods\r\nRun Exchange script: https://github.com/microsoft/CSS-Exchange/tree/main/Security.\r\nHashes can be found here: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log.\r\nVulnerable Technologies and Versions\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-279a\r\nPage 13 of 15\n\nMicrosoft Exchange Servers\r\nTable XIX: Microsoft CVE-2021-26858\r\nTable XX: Microsoft CVE-2021-27065\r\nTable XXI: Apache CVE-2021-41773\r\nApache CVE-2021-41773 CVSS 3.0: 7.5 (High)\r\nVulnerability Description\r\nThis vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which\r\nmay result in further changes to the information provided. A flaw was found in a change made to path\r\nnormalization in Apache HTTP Server 2.4.49. A malicious actor could use a path traversal attack to map URLs\r\nto files outside the directories configured by Alias-like directives. If files outside of these directories are not\r\nprotected by the usual default configuration \"require all denied,\" these requests can succeed. Enabling CGI\r\nscripts for these aliased paths could allow for remote code execution. This issue is known to be exploited in\r\nthe wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50\r\nis incomplete (see CVE-2021-42013).\r\nRecommended Mitigations\r\nApply update or patch.\r\nDetection Methods\r\nCommercially available scanners can detect CVE.\r\nVulnerable Technologies and Versions\r\nApache HTTP Server 2.4.49 and 2.4.50\r\nFedoraproject Fedora 34 and 35\r\nOracle Instantis Enterprise Track 17.1-17.3\r\nNetapp Cloud Backup\r\nRevisions\r\nInitial Publication: October 6, 2022\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-279a\r\nPage 14 of 15\n\nSource: https://www.cisa.gov/uscert/ncas/alerts/aa22-279a\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-279a\r\nPage 15 of 15\n\nN/A Vulnerable Technologies and Versions \nApache APISIX between 1.3 and 2.12.1 (excluding 2.12.1)\nLTS versions of Apache APISIX between 2.10.0 and 2.10.4\nTable XVII: ZOHO CVe-2021-40539  \nZOHO CVe-2021-40539 CVSS 3.0: 9.8 (Critical) \nVulnerability Description  \n   Page 12 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.cisa.gov/uscert/ncas/alerts/aa22-279a"
	],
	"report_names": [
		"aa22-279a"
	],
	"threat_actors": [
		{
			"id": "7c969685-459b-4c93-a788-74108eab6f47",
			"created_at": "2023-01-06T13:46:39.189751Z",
			"updated_at": "2026-04-10T02:00:03.241102Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"Red Dev 13",
				"Silk Typhoon",
				"MURKY PANDA",
				"ATK233",
				"G0125",
				"Operation Exchange Marauder"
			],
			"source_name": "MISPGALAXY:HAFNIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2704d770-43b4-4bc4-8a5a-05df87416848",
			"created_at": "2022-10-25T15:50:23.306305Z",
			"updated_at": "2026-04-10T02:00:05.296581Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"HAFNIUM",
				"Operation Exchange Marauder",
				"Silk Typhoon"
			],
			"source_name": "MITRE:HAFNIUM",
			"tools": [
				"Tarrask",
				"ASPXSpy",
				"Impacket",
				"PsExec",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "529c1ae9-4579-4245-86a6-20f4563a695d",
			"created_at": "2022-10-25T16:07:23.702006Z",
			"updated_at": "2026-04-10T02:00:04.71708Z",
			"deleted_at": null,
			"main_name": "Hafnium",
			"aliases": [
				"G0125",
				"Murky Panda",
				"Red Dev 13",
				"Silk Typhoon"
			],
			"source_name": "ETDA:Hafnium",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446618,
	"ts_updated_at": 1775792148,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/31e20f91545b2fd754ac6f0b8e2fc6bcf79826bc.pdf",
		"text": "https://archive.orkl.eu/31e20f91545b2fd754ac6f0b8e2fc6bcf79826bc.txt",
		"img": "https://archive.orkl.eu/31e20f91545b2fd754ac6f0b8e2fc6bcf79826bc.jpg"
	}
}