Frequently Asked Questions About Chinese State-Sponsored Actors Compromising Global Networks
An analysis of Tenable telemetry data shows that the vulnerabilities being exploited by Chinese state-sponsored actors remain unremediated on a considerable number of devices, posing major risk to the organizations that have yet to successfully address these flaws.
Background
Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding state-sponsored threat actor activity associated with the People’s Republic of China (PRC).
On August 27, the National Security Agency (NSA) published a joint cybersecurity advisory (CSA) authored and co-authored by a number of security agencies from the United States, Australia, Canada, New Zealand, United Kingdom, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland and Spain. This CSA provides guidance on PRC state-sponsored threat actor activity and provides tactics, techniques and procedures (TTPs) utilized by these advanced persistent threat (APT) actors. These malicious actors have routinely targeted critical infrastructure, including telecommunications providers, but have also been observed attacking government, transportation, military and lodging entities. While the CSA provides some vulnerabilities exploited by these actors, it’s clear that this is not an exhaustive list and organizations need to continue to be vigilant in addressing known and exploitable vulnerabilities which are often abused for initial access to a victims network.
FAQ
Is this activity associated with Salt Typhoon?
The CSA states that the associated activity “partially overlaps” with Salt Typhoon (also known as OPERATOR PANDA, RedMike, UNC5807, GhostEmperor and more), however, it does not specifically attribute this activity to any one threat actor.
We published a blog post in January 2025 about Salt Typhoon, analyzing the vulnerabilities used by this threat actor. The overlap between the CVEs confirmed to be used by Salt Typhoon and this CSA includes a pair of Ivanti Connect and Policy Secure vulnerabilities, CVE-2023-46805 and CVE-2024-21887, which are used as part of an exploit chain.
As the threat activity discussed in the recent CSA is more generally attributed to PRC state-sponsored actors, we recommend reviewing the blogs we have published on Volt Typhoon and the top 20 CVEs exploited by PRC state-sponsored actors. These blogs include CVEs known to be used by PRC actors, notably including Fortinet firewalls, Microsoft Exchange server and other applications and devices that are referenced in the CSA.
What are the vulnerabilities known to have been exploited in these attacks?
According to the CSA, the Chinese state-sponsored threat actors are having “considerable success exploiting publicly known common vulnerabilities and exposures (CVEs)” with the following CVEs being listed as used by these threat actors to gain initial access:
| CVE | Description | CVSSv3 | VPR |
|---|---|---|---|
| CVE-2024-21887 | Ivanti Connect Secure and Ivanti Policy Secure Command Injection Vulnerability | 9.1 | 10 |
| CVE-2023-46805 | Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass Vulnerability | 8.2 | 6.7 |
| CVE-2024-3400 | Command Injection Vulnerability in the GlobalProtect Gateway feature of PAN-OS | 10 | 10 |
| CVE-2023-20273 | Cisco IOS XE Web UI Command Injection Vulnerability | 7.2 | 8.4 |
| CVE-2023-20198 | Cisco IOS XE Web UI Elevation of Privilege Vulnerability | 10 | 9.9 |
| CVE-2018-0171 | Cisco IOS and IOS XE Smart Install Remote Code Execution (RCE) Vulnerability | 9.8 | 9.2 |
*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on August 29 and reflects VPR at that time.
Are there proofs-of-concept (PoCs) available for/these vulnerabilities?
Yes, all of the vulnerabilities referenced in the CSA have PoCs available.
Are patches or mitigations available for these CVEs?
Yes, each of the vendors for these products has released patches and, in many cases, mitigation guidance that may be used if immediate patching is not feasible. However, given that these vulnerabilities have been exploited in the wild, many of them over several years, full remediation of these vulnerabilities should be completed as soon as possible.
| CVE | Affected Product | Vendor Advisory |
|---|---|---|
| CVE-2024-21887 and CVE-2023-46805 | Ivanti Connect Secure and Ivanti Policy Secure | Advisory |
| CVE-2024-3400 | Palo Alto PAN-OS | Advisory |
| CVE-2023-20273 and CVE-2023-20198 | Cisco IOS XE | |
| CVE-2018-0171 | Cisco IOS and IOS XE | Advisory |
How many devices remain vulnerable to these six CVEs?
From an analysis of Tenable telemetry data, we found that a significant number of devices remain unremediated and pose a major risk to the organizations that have yet to successfully patch. As noted in the CSA, these “APT actors may target edge devices regardless of who owns a particular device.” Even in cases where an impacted entity is not a target of interest, these actors may still use compromised devices to conduct additional attacks on targeted networks.
In our analysis, we found that Cisco devices had surprisingly significant counts of unpatched devices. For CVE-2023-20273 and CVE-2023-20198, 40% of devices remain unmitigated, while 58% of devices scanned remain vulnerable to CVE-2018-0171.
In stark contrast, only around 14% of devices have yet to remediate CVE-2024-21887 and CVE-2023-46805. For Palo Alto devices, only around 3% of devices have yet been patched for CVE-2024-3400.
Given the mixed remediation rates amongst these six CVEs, it’s imperative that organizations quickly mitigate these threats and ensure their devices are fully up to date. As the CSA notes, these threat actors are not reliant on zero-day vulnerabilities, but rather continue to target known and exploitable vulnerabilities on edge devices in order to gain initial access to their victims' networks.
Have any of these CVEs been classified under Tenable’s Vulnerability Watch?
Yes, we have classified several of the CVEs referenced in this CSA under our Vulnerability Watch:
| CVE | Vulnerability Watch States | First Established | Last Established |
|---|---|---|---|
| CVE-2024-21887 | Vulnerability of Concern | 2024-01-10 | 2024-08-28 |
| CVE-2023-46805 | Vulnerability of Concern | 2024-01-10 | 2025-02-05 |
| CVE-2024-3400 | Vulnerability of Interest, Vulnerability of Concern | 2024-04-12 | 2024-08-28 |
| CVE-2018-0171 | Vulnerability of Interest | 2025-08-21 | 2025-08-27 |
CVE-2023-20273 and CVE-2023-20198 were not classified prior to the publication of this CSA, as we began our Vulnerability Watch classifications at the start of 2024. We have been publishing Cyber Exposure Alert content since late 2018, and published a blog post for CVE-2023-20198 and CVE-2023-20273 on the same day the advisory was released. We recently added CVE-2018-0171 following an FBI alert.
As a result of this CSA, we have classified all six CVEs as Vulnerabilities Being Monitored. For more information about Vulnerability Watch, please visit our blog, Reducing Remediation Time Remains a Challenge: How Tenable Vulnerability Watch Can Help.
Have any of these CVEs been added to the CISA KEV?
Yes, each of these CVEs has been featured in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog.
| CVE | Date Added | Remediation Due Date |
|---|---|---|
| CVE-2024-21887 | 1/10/2024 | 1/22/2024 |
| CVE-2023-46805 | 1/10/2024 | 1/22/2024 |
| CVE-2024-3400 | 4/12/2024 | 4/19/2024 |
| CVE-2023-20273 | 10/23/2023 | 10/27/2023 |
| CVE-2023-20198 | 10/16/2023 | 10/20/2023 |
| CVE-2018-0171 | 11/3/2021 | 5/3/2022 |
Has Tenable released any product coverage for these vulnerabilities?
Yes, plugin coverage is available for each of these CVEs. A list of Tenable plugins for these vulnerabilities can be found on their individual CVE pages:
This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
In addition to these CVEs, we also recommend scanning with plugin ID 105161 to identify if Cisco Smart Install is enabled on any Cisco devices in your network. As noted in the CSA, disabling the Cisco Smart Install feature is highly recommended. In an update to the security advisory for CVE-2018-0171 on August 20, 2025, Cisco noted that they are ”aware of continued exploitation activity of the vulnerability that is described in this advisory and strongly recommends that customers assess their systems and upgrade to a fixed software release as soon as possible.”
Tenable Attack Path Analysis techniques
The following are a list of associated Tenable Attack Path Analysis techniques for the TTPs discussed in the CSA:
| MITRE ATT&CK ID | Description | Tenable Attack Path techniques |
|---|---|---|
| T1040 | Network Sniffing | T1040_Windows |
| T1068 | Exploitation for Privilege Escalation | T1068_Windows |
| T1082 | System Information Discovery | T1082 |
| T1098.004 | Account Manipulation | T1098.004 |
| T1190 | Exploit Public-Facing Application | |
| T1048.003 | Exfiltration over Alternative Protocol | T1048.003_Windows |
| T1059.006 | Command and Scripting Interpreter: Python" | T1059.006_Windows |
Tenable Identity Exposure Indicators of Exposure and Indicators of Attack
The following are a list of Indicators of Exposure and Indicators of Attack for Tenable Identity Exposure:
| MITRE ATT&CK ID | Description | Indicators |
|---|---|---|
| T1003 | OS Credential Dumping | |
| T1021 | Remote Services | |
| T1068 | Exploitation for Privilege Escalation | I-SamNameImpersonation |
| T1190 | Exploit Public-Facing Application | APPLICATION-ALLOWING-MULTI-TENANT-AUTHENTICATION |
| T1199 | Trusted Relationship | |
| T1556 | Modify Authentication Process | C-SHADOW-CREDENTIALS |
| T1595 | Active Scanning |
Additional MITRE ATT&CK Resources
| MITRE ATT&CK ID | Description | Product |
|---|---|---|
| T1190 | Exploit Public-Facing Application | Tenable Web App Scanning |
| T1595 | Active Scanning | Tenable Attack Surface Management |
Get more information
- Joint CSA: Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System
- Tenable blog: Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored Actor
- Tenable Blog: CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893: Frequently Asked Questions for Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways
- Tenable Blog: CVE-2024-3400: Zero-Day Vulnerability in Palo Alto Networks PAN-OS GlobalProtect Gateway Exploited in the Wild
- Tenable Blog: CVE-2023-20198: Zero-Day Vulnerability in Cisco IOS XE Exploited in the Wild
- Tenable Blog: Proof of Concept (and Patch) for Critical Cisco IOS Vulnerability: CVE-2018-0171
- Tenable Blog: Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
- Tenable Blog: Top 20 CVEs Exploited by People's Republic of China State-Sponsored Actors (AA22-279A)
Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Scott Caveza
Senior Staff Research Engineer, Research Special Operations
Scott joined Tenable in 2012 as a Research Engineer on the Nessus Plugins team. Over the years, he has written hundreds of plugins for Nessus, and reviewed code for even more from his time being a team lead and manager of the Plugins team. Previously leading the Security Response team and the Zero Day Research team, Scott is currently a member of the Research Special Operations team, helping the research organization respond to the latest threats. He has over a decade of experience in the industry with previous work in the Security Operations Center (SOC) for a major domain registrar and web hosting provider. Scott is a current CISSP and actively maintains his GIAC GWAPT Web Application Penetration Tester certification.
Interests outside of work: Scott enjoys spending time with his family, camping, fishing and being outdoors. He also enjoys finding ways to break web applications and home renovation projects.
Satnam Narang
Senior Staff Research Engineer, Security Response
Satnam joined Tenable in 2018. He has over 15 years experience in the industry (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National Cyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first to report on spam bots on Tinder. He's appeared on NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast.
Interests outside of work: Satnam writes poetry and makes hip-hop music. He enjoys live music, spending time with his three nieces, football and basketball, Bollywood movies and music and Grogu (Baby Yoda).
Related articles
Your Map for the Cloud Security Maze: An Integrated Cloud Security Solution That’s Part of an Exposure Management Approach
Check out highlights from the IDC white paper “Bridging Cloud Security and Exposure Management for Unified Risk Reduction,” which explains how CNAPPs help security teams tame the complexity of multi-cloud environments by shifting from a reactive, alert-driven model to a proactive exposure…
Security Leaders are Rethinking Their Cyber Risk Strategies, New Research from Tenable and Enterprise Strategy Group Shows
Get a firsthand look at how 400 security and IT leaders are tackling today’s cyber risk challenges in this latest study from Tenable and Enterprise Strategy Group.
CVE-2025-7775: Citrix NetScaler ADC and NetScaler Gateway Zero-Day Remote Code Execution Vulnerability Exploited in the Wild
Citrix has released patches to address a zero-day remote code execution vulnerability in NetScaler ADC and NetScaler Gateway that has been exploited. Organizations are urged to patch immediately.
- Exposure Management
- Vulnerability Management