{ "id": "df118cbd-a06a-4048-8d5b-c582e1ec39ac", "created_at": "2026-04-06T00:10:16.543316Z", "updated_at": "2026-04-10T03:37:51.318618Z", "deleted_at": null, "sha1_hash": "80db7d9912ce5190973990a44047363b39595f44", "title": "Analysis of CISA releases Advisory on Top CVEs Exploited Chinese State-Sponsored Groups", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 44494, "plain_text": "Analysis of CISA releases Advisory on Top CVEs Exploited\r\nChinese State-Sponsored Groups\r\nBy Flashpoint Team\r\nPublished: 2022-10-07 · Archived: 2026-04-05 14:26:41 UTC\r\nCISA advisory\r\nOn October 6, 2022, the US Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of\r\nInvestigation (FBI), and National Security Agency (NSA) released a joint advisory, AA22-279A, identifying\r\ntwenty of the top vulnerabilities that have been actively exploited by Chinese state-sponsored cyber actors since\r\n2020. The actors leveraged virtual private networks (VPNs) to obfuscate the source of the exploitation activity and\r\nthen conducted lateral movement within the target networks. \r\nOver the same time period, Flashpoint analysts have observed the majority of these vulnerabilities being heavily\r\nmentioned among threat actors, especially in Russian-language hacking and exploit forums. Seventeen out of the\r\ntwenty CVE IDs (listed below) have been among the monthly most mentioned vulnerabilities in Flashpoint’s\r\ncollections. This indicates that while CISA has attributed attempts to exploit these CVEs to China, they are\r\nlikely also being heavily targeted by threat actors of other regions. This is because the exploits targeting these\r\nvulnerabilities are simple to use and reliable, and there are high incentives to exploitation.\r\nFlashpoint has made the following insights into the most noteworthy targeted vulnerabilities using VulnDB\r\ndatabase.\r\nLog4Shell and ProxyLogon\r\nA majority of the vulnerabilities covered by the advisory are among the major vulnerabilities disclosed during the\r\nlast few years—those that have repeatedly made the news due to their widespread exploitation. These include\r\nLog4Shell (VulnDB 275958), the vulnerability in the Apache Log4j, and ProxyLogon (VulnDB 250803), which\r\nencompasses four Microsoft Exchange issues.\r\nCVE-2021-22204 and CVE-2021-22205 \r\nAnother notable set of vulnerabilities on the list is CVE-2021-22204 and CVE-2021-22204 (VulnDB 254347),\r\nwhich was disclosed on April 13, 2021, and describes an issue in ExifTool that allows for arbitrary code\r\nexecution. The vulnerable code is in a library, meaning it may not be straightforward to exploit, depending on\r\nimplementation. It is not common to see this type of tool or library appear on such a list—as opposed to tools such\r\nas Apache Log4j, which, while also a library, is designed to handle input from a remote source. \r\nFlashpoint also notes some inconsistencies in the CVE identification and severity level of these vulnerabilities.\r\nThe National Vulnerability Database (NVD) treats this as two issues, while Flashpoint assesses that the two CVEs\r\nare a duplicate. NVD scores CVE-2021-22204 as CVSSv3 7.8 while quoting the vendor score as 6.8. The second\r\nhttps://securityboulevard.com/2022/10/analysis-of-cisa-releases-advisory-on-top-cves-exploited-chinese-state-sponsored-groups/\r\nPage 1 of 3\n\nCVE, CVE-2021-22205, is given just the vendor’s score, which is CVSSv3 10.0—causing unnecessary confusion\r\nfor organizations using NVD CVSS scoring to do vulnerability triage. Flashpoint and RBS assess that CVSSv3\r\n7.8 score is accurate, but our score makeup differs from both NVD and the vendor despite the number being\r\nequivalent. \r\nCVE-2021-36260\r\nAnother vulnerability of interest is CVE-2021-36260 (VulnDB 268325), a remote command execution flaw in\r\nmultiple Hikvision products. This vulnerability has previously been seen exploited by “Moobot,” but is not\r\nwidely associated with advanced persistent threat (APT) activity. The vulnerable Hikvision web server resides\r\nwithin Hikvision’s IP camera devices as well as network video recorder devices, which are designed to be network\r\naccessible and operate around the clock. The vulnerability enables remote code execution without any\r\nauthentication or user interaction, greatly simplifying the exploitation process. Further, Hikvision products are\r\nubiquitous among both home users and small businesses, providing a large number of potentially vulnerable\r\ndevices over the internet. These factors make this vulnerability ideal for developing botnets.\r\nThis vulnerability is also notable because it has a complete disclosure timeline: While it took the vendor two days\r\nto respond to the direct report, it took ninety days to patch and an additional thirty-six days before a public exploit\r\nwas seen. NVD scores this as CVSSv2 9.3, while Flashpoint and RBS score it as 10.0. \r\nCVE-2022-26134\r\nThe newest vulnerability on the list is CVE 2022-26134 (VulnDB 291802), disclosed on June 2, via active\r\nexploitation in the wild. It is a flaw in Atlassian Confluence Server related to OGNL content handling, leading to\r\nremote code execution. It is known to be included in commercial exploit frameworks and exploited in\r\ncryptojacking campaigns, and according to VulnDB it has been exploited by several threat actors, including DEV-0401 and DEV-0234, both attributed to China.\r\nEPSS SCORES\r\nThe current Exploit Prediction Scoring System (EPSS) scores for these vulnerabilities, according to the Forum of\r\nIncident Response and Security Teams (FIRST), is as follows.\r\nCVE ID EPSS Score (Percentage)\r\nCVE-2021-44228 90.48%\r\nCVE-2019-11510 96.51%\r\nCVE-2021-22205 69.87%\r\nCVE-2022-26134 86.38%\r\nCVE-2021-26855 96.21%\r\nCVE-2020-5902 96.82%\r\nhttps://securityboulevard.com/2022/10/analysis-of-cisa-releases-advisory-on-top-cves-exploited-chinese-state-sponsored-groups/\r\nPage 2 of 3\n\nCVE-2021-22005 92.03%\r\nCVE-2019-19781 95.61%\r\nCVE-2021-1497 1.06%\r\nCVE-2021-20090 1.06%\r\nCVE-2021-26084 96.20%\r\nCVE-2021-36260 87.79%\r\nCVE-2021-42237 93.64%\r\nCVE-2022-1388 91.51%\r\nCVE-2022-24112 69.87%\r\nCVE-2021-40539 95.95%\r\nCVE-2021-26857 31.09%\r\nCVE-2021-26858 31.09%\r\nCVE-2021-27065 61.80%\r\nCVE-2021-41773 92.45%\r\nManage vulnerabilities with Flashpoint\r\nThousands of vulnerabilities are identified every year, and the exploitation of them has dramatically increased.\r\nOrganizations have even less time than before to respond to critical issues. To better protect your network,\r\nenterprises need to proactively manage risk in a timely manner. Sign up for a free trial and see how quality\r\nintelligence empowers a vulnerability risk management program, allowing your security teams to prioritize and\r\nremediate what really matters.\r\nSource: https://securityboulevard.com/2022/10/analysis-of-cisa-releases-advisory-on-top-cves-exploited-chinese-state-sponsored-groups/\r\nhttps://securityboulevard.com/2022/10/analysis-of-cisa-releases-advisory-on-top-cves-exploited-chinese-state-sponsored-groups/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://securityboulevard.com/2022/10/analysis-of-cisa-releases-advisory-on-top-cves-exploited-chinese-state-sponsored-groups/" ], "report_names": [ "analysis-of-cisa-releases-advisory-on-top-cves-exploited-chinese-state-sponsored-groups" ], "threat_actors": [ { "id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d", "created_at": "2022-10-25T16:07:23.42507Z", "updated_at": "2026-04-10T02:00:04.593122Z", "deleted_at": null, "main_name": "Bronze Starlight", "aliases": [ "Cinnamon Tempest", "DEV-0401", "HighGround", "Operation ChattyGoblin", "SLIME34" ], "source_name": "ETDA:Bronze Starlight", "tools": [ "Agent.dhwf", "Agentemis", "AtomSilo", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "HUI Loader", "Kaba", "Korplug", "LockFile", "Night Sky", "NightSky", "Pandora", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c69bcda3-0893-4ea1-9ec1-ae016332d283", "created_at": "2023-01-06T13:46:39.410593Z", "updated_at": "2026-04-10T02:00:03.317754Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "DEV-0401", "Cinnamon Tempest", "Emperor Dragonfly", "SLIME34" ], "source_name": "MISPGALAXY:BRONZE STARLIGHT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "00f01865-62f9-4931-b532-510eeb5e5bc7", "created_at": "2024-02-02T02:00:04.043727Z", "updated_at": "2026-04-10T02:00:03.538157Z", "deleted_at": null, "main_name": "Lilac Typhoon", "aliases": [ "DEV-0234" ], "source_name": "MISPGALAXY:Lilac Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8", "created_at": "2025-08-07T02:03:24.674685Z", "updated_at": "2026-04-10T02:00:03.800936Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "Cinnamon Tempest ", "DEV-0401 ", "Emperor Dragonfly " ], "source_name": "Secureworks:BRONZE STARLIGHT", "tools": [ "AtomSilo", "Cobalt Strike", "HUI Loader", "Impacket", "LockFile", "NightSky", "Pandora", "PlugX", "Rook" ], "source_id": "Secureworks", "reports": null }, { "id": "81e29474-63ad-4ce8-97db-b1712d5481d5", "created_at": "2024-04-24T02:00:49.570158Z", "updated_at": "2026-04-10T02:00:05.285111Z", "deleted_at": null, "main_name": "Cinnamon Tempest", "aliases": [ "Cinnamon Tempest", "DEV-0401", "Emperor Dragonfly", "BRONZE STARLIGHT" ], "source_name": "MITRE:Cinnamon Tempest", "tools": [ "Pandora", "PlugX", "Cheerscrypt", "Impacket", "Cobalt Strike", "HUI Loader", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434216, "ts_updated_at": 1775792271, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/80db7d9912ce5190973990a44047363b39595f44.pdf", "text": "https://archive.orkl.eu/80db7d9912ce5190973990a44047363b39595f44.txt", "img": "https://archive.orkl.eu/80db7d9912ce5190973990a44047363b39595f44.jpg" } }