Bugs exploited most by Chinese Hackers

NSA released the top most bugs that are exploited actively by Chinese Hackers. Though all exploits are patchable and can be closed, it’s active still

Let’s see the top 25 exploits from recet to past

1) CVE-2019-11510 – Pulse Secure VPN servers, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. This may lead to exposure of keys or passwords

2) CVE-2020-5902 – F5 BIG-IP proxies and load balancer, the Traffic Management User Interface (TMUI) —also referred to as the Configuration utility— is vulnerable to a Remote Code Execution (RCE) vulnerability that can allow remote attackers to take over the entire BIG-IP device.

[3+4+5+6]CVE-2019-19781, CVE-2020-8193, CVE-2020-8195, CVE-2020-8196 – Set of Citrix ADC and Gateway bugs. These ones also impact SDWAN WAN-OP systems as well. anonymous access is possible

7) CVE-2019-0708 (BlueKeep) – A remote code execution vulnerability exists within Remote Desktop Services on Windows operating systems.

8) CVE-2020-15505 – A remote code execution vulnerability in the MobileIron mobile device management (MDM) software that allows remote attackers to execute arbitrary code and take over remote company servers.

9) CVE-2020-1350 (SIGRed) – A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests.

10) CVE-2020-1472 (Netlogon) – An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC).

11) CVE-2019-1040 – A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC protection.

12) CVE-2018-6789 – Sending a handcrafted message to an Exim mail transfer agent may cause a buffer overflow. This can be used to execute code remotely and take over email servers.

13) CVE-2020-0688 – A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory.

14) CVE-2018-4939 – Certain Adobe ColdFusion versions have an exploitable Deserialization of Untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution.

15) CVE-2015-4852 – The WLS Security component in Oracle WebLogic Server allows remote attackers to execute arbitrary commands via a crafted serialized Java object

16) CVE-2020-2555 – A vulnerability exists in the Oracle Coherence product of Oracle Fusion Middleware.

17) CVE-2019-3396 – The Widget Connector macro in Atlassian Confluence 17 Server allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.

18) CVE-2019-11580 – Attackers who can send requests to an Atlassian Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution.

19) CVE-2020-10189 – Zoho ManageEngine Desktop Central allows remote code execution of deserialization of untrusted data.

20) CVE-2019-18935 – Progress Telerik UI for ASP.NET AJAX contains a .NET deserialization vulnerability. Exploitation can result in remote code execution.

21) CVE-2020-0601 (aka CurveBall) – A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making to look a like legitimate.

22) CVE-2019-0803 – An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory.

23) CVE-2017-6327 – The Symantec Messaging Gateway can encounter a remote code execution issue.

24) CVE-2020-3118 – A vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload an affected device.

25) CVE-2020-8515 – DrayTek Vigor devices allow remote code execution as root without credentials via shell metacharacters.

Chinese Hackers has a big eye on exploits 👀..

CISA comes with a warning of Chinese state sponsered hackers targetting some age old bugs from various security devices and servers.

Crisp details of those bugs given below

CVE-2020-0688: This bug exists in Exchange Control Panel (ECP) component of Microsoft Exchange Server and could enable an attacker to perform remote code execution on the server with SYSTEM privileges.

Microsoft patched the bug in February, but less than 15 per cent of vulnerable systems had either been patched or remediated after one month, according to security researchers from Kenna Security. The researchers also found that the bulk of installs were 2016 versions, with some 74 per cent found to be ‘vulnerable’ and 26 per cent ‘potentially vulnerable’.


CVE-2019-19781: This flaw impacts Citrix Gateway (formerly NetScaler Gateway) and Citrix Application Delivery Controller (formerly NetScaler ADC) servers and could allow remote unauthenticated attackers to run commands to gain access to a network. In January, researchers at Positive Technologies warned that the flaw could put more than 80,000 organisations at risk.

CVE-2020-5902: This vulnerability in F5 Network’s Big-IP Traffic Management User Interface (TMUI) allows remote cyber threat actors to run arbitrary system commands, disable services, create or delete files, and execute Java code, without authentication.

To exploit the vulnerability, an attacker would need to send a specially crafted HTTP request to the server hosting the TMUI utility for BIG-IP configuration. As of July, nearly 8,000 users of BIG-IP family of networking devices had not applied the patch to secure their systems against the critical flaw.

CVE-2019-11510: This bug in Pulse Secure VPN appliances lets a remote, unauthenticated attacker to send a specially crafted URIs to establish a connection with vulnerable servers and read files containing user credentials. The attacker can use the information to take full control of an organisation’s systems.

In February, security researchers revealed that nearly 2500 Pulse Secure VPN servers worldwide were still vulnerable to CVE-2019-11510, more than six months after the security flaw was first publicised.

“If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network,” .