uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites,’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.


China is Exploiting Vulnerabilities in Widely Used Home-Office Devices, U.S. Agencies Warn

Home Office Image

A new advisory from top federal security and law enforcement agencies warns that state-sponsored cyber actors from the People’s Republic of China (PRC) are exploiting vulnerabilities in commonly used network devices to data from major telecommunications providers. Notably, the attacks are not being aimed directly at large enterprises but the endpoints of home-based offices and small businesses. 

Issued June 7 by the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the FBI, the advisory identified 16 common vulnerabilities and exposures (CVEs) linked to products manufactured by leading network vendors, including Cisco, Citrix, D-Link, and Netgear. The state-sponsored actors target telecommunications providers’ Remote Authentication Dial-In User Service (RADIUS) servers. Using SQL commands, the actors seek the usernames and passwords of the providers’ customers among other goals.

This is a particularly significant advisory given the upsurge in home-office usage due to the pandemic. The devices in question can be manipulated using SQL commands in order to ultimately dump usernames and passwords.

The intrusions, according to the federal agencies, are executed by accessing compromised servers called “hop points” from Chinese IP addresses hosted by Chinese ISPs. With the compromised servers, the state-sponsored actors register email accounts, host C2 domains, and interact with the victim networks. The attackers watch the defenses employed by network defenders’ accounts, then modify their actions to remain undetected.

The Top 16 devices Targeted by PRC Threat Actors

The advisory lists the network device CVEs most often exploited since 2020 by the PRC actors, identifying the vendor, CVE, and vulnerability type. They are:

Vendor              CVE                        Vulnerability Type
Cisco CVE-2018-0171 Remote Code Execution
Cisco CVE-2019-15271 RCE
Cisco CVE-2019-1652 RCE
Citrix CVE-2019-19781 RCE
DrayTek CVE-2020-8515 RCE
D-Link CVE-2019-16920 RCE
Fortinet CVE-2018-13382 Authentication Bypass
MikroTik CVE-2018-14847 Authentication Bypass
Netgear CVE-2017-6862 RCE
Pulse CVE-2019-11510 Authentication Bypass
Pulse CVE-2021-22893 RCE
QNAP CVE-2019-7192 Privilege Elevation
QNAP CVE-2019-7193 Remote Inject
QNAP CVE-2019-7194 XML Routing Detour Attack
QNAP CVE-2019-7195 XML Routing Detour Attack
Zyxe CVE-2020-29583 Authentication Bypass

Security experts report that D-Link has the most products affected by the CVEs (15). That may be a particular problem because some of these products have reached end-of-life – meaning no patches are being created to address the issue. You’ll want to make sure that your organization has upgraded or replaced any such products.

Still, it may not be enough to stop at patching the listed devices for the CVEs identified in the advisory. There are other known exploits for these devices. As such, security teams should access information about these CVEs and use threat-likelihood calculations to determine the order of remediation.

What About CVEs Without Known Exploits?

The other factor to consider is that while there are tens of thousands of CVEs in which exploits are known to exist, there are even more that may be being exploited without public knowledge of such.

That’s why the combination of vulnerability awareness and threat intelligence is so essential in reducing risk. Some of the threat intelligence can be gained by staying connected with online communities that share knowledge of emerging threats. And beyond such methods, more fully integrated and automated threat intelligence information can be gained through tools such as the risk-based vulnerability management (RBVM) applications that NopSec offers. Among other applications, NopSec’s RBVM Core, RBVM Container and RBVM Config help you ingest data from your network and combine it with threat intelligence sources to determine which assets and software is at risk and how to prioritize your actions.

We would welcome a chance to talk to you about how to introduce NopSec into your infrastructure to gain access to this critical information without overwhelming your organization. As we say, the path to cybersecurity maturity is a long one. Let us help you take the steps that are right for you and your company.

Schedule a Product Demo Today!

See how NopSec's security insights and cyber threat exposure management platform can organize your security chaos.