America’s Cybersecurity and Infrastructure Security Agency (CISA) has assembled a list of 20 vulnerabilities actively exploited by state-sponsored actors from China since 2020.
Given its supply-chain impact on other software packages, it’s little surprise the Apache Log4J vulnerability (CVE-2021-44228) leads the list.
In all, there are 12 RCE bugs in the top 20 list.
Patches and mitigations are available for all the vulnerabilities on the list, so if they’re actively exploited, it’s because users haven’t applied the patches yet.
CISA said the attackers use VPNs to obfuscate their activities, and “target web-facing applications to establish initial access.
“Many of the CVEs indicated in Table 1 allow the actors to surreptitiously gain unauthorized access into sensitive networks, after which they seek to establish persistence and move laterally to other internally connected networks.”
The list was put together by CISA, the NSA and the FBI.