Critical Infrastructure Security
,
Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Chinese Hackers Hitting Unpatched Products From Microsoft, Sophos, Fortinet, Ivanti

Chinese nation-state hackers who surreptitiously gained access to U.S. and other telecommunications networks regularly exploited known flaws in their networking gear that the victims failed to patch, experts have warned.
Cybersecurity firm Tenable said scanning data suggests that of the 30,000 Microsoft Exchange Servers potentially at risk from one of the flaws the group has regularly exploited, 91% of vulnerable systems remain unpatched, despite a patch published in 2021.
The group behind the attack campaign, tied to the Chinese government and tracked as Salt Typhoon – as well as Earth Estries, FamousSparrow, GhostEmperor and UNC2286 – has been connected to intrusions at nine U.S. telecoms as well as telecoms in dozens of other countries.
The U.S. Department of the Treasury on Jan. 17 identified and sanctioned a private hack-for-hire Chinese firm for its involvement in the campaign and a Chinese national tied to China’s civilian intelligence agency – the Ministry of State Security.
Public details about the group’s tactics, techniques and procedures continue to come to light. “Salt Typhoon typically gains initial access to its victim networks by targeting external-facing assets using known vulnerabilities,” said Scott Caveza, staff research engineer for security response at Tenable, in a Thursday blog post.
A non-exhaustive list of flaws known to be exploited by Salt Typhoon, as detailed by Tenable, includes:
- Microsoft Exchange Server server-side request forgery vulnerability, aka ProxyLogon, CVE-2021-26855;
- Sophos Firewall code injection vulnerability, CVE-2022-3236;
- FortiClient Enterprise Management Server – FortiClientEMS – SQL injection vulnerability, CVE-2023-48788;
- Ivanti Connect Secure and Ivanti Policy Secure command injection vulnerability, CVE-2024-21887;
- Ivanti Connect Secure and Ivanti Policy secure authentication bypass vulnerability, CVE-2023-46805.
The first three CVEs have a CVSS score of 9.8 out of 10, while the fourth has 9.1. The numbers indicate that the flaws are “severe” and the vulnerabilities can be remotely exploited to take control of a device, potentially allowing attackers to pivot into other parts of the network.
“Of these five CVEs, four of them were exploited in the wild as zero-day vulnerabilities,” Tenable said. “While it’s unknown if Salt Typhoon exploited any of these flaws as zero-days, the level of sophistication from the group does suggest it has the technical ability to develop and exploit zero-day flaws in its attacks.”
Highlighting the fact that good cyber defense guards against a variety of attackers and intentions – be they nation-state groups conducting cyber espionage or disruption, criminal groups in pursuit of illicit profits, or anyone with hacktivist intentions – Tenable said four of the five CVEs have also been tied to other attacks by both nation-state and ransomware groups.
Patch Shortcomings
Despite the threat posed by Salt Typhoon and its ilk, many organizations haven’t yet addressed the vulnerabilities, with 91% of the 30,000 systems at risk from ProxyLogon appearing to remain unfixed, Tenable said. Better news comes via the finding that of the two Ivanti vulnerabilities it highlighted, 92% of vulnerable systems do appear to have been patched.
Without citing specific CVEs, CISA has also warned that Salt Typhoon targets Cisco gear and has urged users to lock down their equipment, including by disabling “the Smart Install auto-loading feature on all network devices.”
Attackers’ patience and persistence means “it’s vital that organizations routinely patch public-facing devices and quickly mitigate known and exploited vulnerabilities,” Tenable’s Caveza said. “Salt Typhoon is known for maintaining a stealthy presence on victim networks and remaining undetected for a significant time period.”
U.S. telecoms that reportedly fell victim to the group included AT&T, Charter Communications, Consolidated Communications, Lumen Technologies, T-Mobile, and Verizon Communications and Windstream. Officials said some but not all have managed to eject the attackers from their infrastructure.
Last month, Anne Neuberger, the then deputy national security advisor for cyber and emerging technologies, said a single Chinese advanced persistent threat group targeted the then President-elect Donald Trump, Vice President-elect JD Vance and other individuals involved in high-level “political activity,” stole extensive amounts of metadata, and infiltrated systems handling court-authorized wiretaps.
Calls to Improve Telecom Defenses
Some telecoms may not have robust enough defenses in place to guard against these type of attacks, which persist for months before being discovered. Senior officials in the Biden administration criticized some telecoms’ poor cybersecurity posture, suggesting it exacerbated the impact of the hack attacks.
“The Chinese were very careful about their techniques. They erased logs, and in many instances, companies weren’t keeping adequate logs,” Neuberger told reporters in December 2024. “The Chinese were very careful about their techniques. They erased logs, and in many instances, companies weren’t keeping adequate logs.”
In the final days of the Biden administration, senior officials said more needed to be done. “In light of the vulnerabilities exposed by Salt Typhoon, we need to take action to secure our networks,” said Jessica Rosenworcel last week, when she was still chairwoman of the Federal Communications Commission.
“Our existing rules are not modern,” said Rosenworcel, who stepped down Monday when Donald Trump began his second term as president. “It is time we update them to reflect current threats so that we have a fighting chance to ensure that state-sponsored cyberattacks do not succeed. The time to take this action is now. We do not have the luxury of waiting.”
One of her last actions was a declaratory ruling telling telecoms to create cybersecurity and supply chain risk management plans.
What action might come next isn’t clear. The Trump administration on Monday disbanded all Department of Homeland Security advisory committees, including the all-volunteer Cyber Safety Review Board. Styled after the National Transportation Safety Board, which investigates civil aviation accidents, the Biden-created CSRB’s mandate has been “to review and assess significant cyber incidents and make concrete recommendations that would drive improvements within the private and public sectors.”
In a Monday letter, DHS told outgoing advisory board members: “You are welcome to reapply.”
Prior to being disbanded, the CSRB was investigating the Salt Typhoon attacks. Whether the CSRB will be reconstituted remains an open question, as do Trump’s plans for CISA.