The U.S. government has long warned about cyber threats emanating from China. Now, the National Security Agency is outlining specific vulnerabilities its observed Chinese state-sponsored actors leveraging.

In a cybersecurity advisory it shared on Tuesday, the NSA disclosed 25 vulnerabilities (.PDF) that Chinese hackers are actively exploiting. While the list isn't definitive, it's intended to showcase CVEs that are being operationalized by China.

The list includes a number of vulnerabilities that can be exploited to give attackers initial access to a victim network via the internet. Once in - many of the vulnerable products are used by businesses for remote access or external web services - the vulnerabilities can act as a gateway for attackers.

If you’ve been paying attention to alerts published by the DHS’ Cybersecurity and Infrastructure Security Agency over the past year, the list may not be too surprising. CISA and security researchers have been sounding the alarm around a handful of the vulnerabilities, many which can allow full system access and remote code-execution.

Seven of the vulnerabilities actually date back to 2019 but that doesn’t mean they’re not still being successfully exploited. Some on the list, including an arbitrary file reading vulnerability in Pulse Secure VPN servers, CVE-2019-11510, and an arbitrary code execution vulnerability in Citrix VPN appliances, CVE-2019-19781, were among the most exploited bugs in 2020 in May, when the FBI and CISA posted its list of the most routinely exploited vulnerabilities. The oldest vulnerability, CVE-2015-4852, exists in Adobe ColdFusion, suggesting that five years after it was discovered (and patched) that the flaw is still paying dividends for attackers.

Other vulnerabilities, like a remote code execution vulnerability (CVE-2020-5902) in F5 BIG-IP devices, have been the story of the summer for many administrators. CISA said in July that it began seeing attacks targeting unpatched F5 BIG-IP devices shortly after proof of concept code surfaced online on July 4. CISA warned again in August that Iranian hackers were exploiting the vulnerability.

Other CVEs, like CVE-2020-1472, aka Zerologon, a privilege escalation vulnerability in Windows Server, have been plenty publicized over the past month.

While all of the vulnerabilities have been patched by their vendor, organizations may not have applied the necessary fixes. The NSA is hoping that by publicizing the vulnerabilities will encourage those who haven't patched to do so.

“We hear loud and clear that it can be hard to prioritize patching and mitigation efforts,” NSA Cybersecurity Director Anne Neuberger said in a press release. “We hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems.”

The full list of vulnerabilities is as follows:

1. CVE-2019-11510: On Pulse Secure VPNs, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. This may lead to exposure of keys or passwords
2. CVE-2020-5902: In F5 BIG-IP 8proxy / load balancer devices, the Traffic Management User Interface (TMUI) -also referred to as the Configuration utility-has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
3. CVE-2019-19781: An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway. They allow directory traversal, which can lead to remote code execution without credentials.
4, 5, 6. CVE-2020-8193, CVE-2020-8195, CVE-2020-8196: Improper access control and input validation, in Citrix ADC and Citrix Gateway and Citrix SDWAN WAN-OP, allows unauthenticated access to certain URL endpoints and information disclosure to low-privileged users.
7. CVE-2020-0708: A remote code execution vulnerability exists within Remote Desktop Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests
8. CVE-2020-15505: A remote code execution vulnerability in the MobileIron mobile device management (MDM) software that allows remote attackers to execute arbitrary code via unspecified vectors.
9. CVE-2020-1350: A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests.
10. CVE-2020-1472: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'.
11. CVE-2019-1040: A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection.
12. CVE-2018-6789: Sending a handcrafted message to Exim mail transfer agent may cause a buffer overflow. This can be used to execute code remotely.
13. CVE-2020-0688: A Microsoft Exchange validation key remote code execution vulnerability exists when the software fails to properly handle objects in memory.
14. CVE-2018-4939: Certain Adobe ColdFusion versions have an exploitable Deserialization of Untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution.
15. CVE-2015-4852: The WLS Security component in Oracle WebLogic Server allows remote attackers to execute arbitrary commands via a crafted serialized Java object.
16. CVE-2020-2555: A vulnerability exists in the Oracle Coherence product of Oracle Fusion Middleware. This easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence.
17. CVE-2019-3396: The Widget Connector macro in Atlassian Confluence Server allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
18. CVE-2019-11580: Attackers who can send requests to an Atlassian Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution.
19. CVE-2020-10189: Zoho ManageEngine Desktop Central allows remote code execution because of deserialization of untrusted data.
20. CVE-2019-18935: Progress Telerik UI for ASP.NET AJAX contains a .NET deserialization vulnerability. Exploitation can result in remote code execution.
21. CVE-2020-0601: A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear that the file was from a trusted, legitimate source.
22. CVE-2019-0803: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory.
23. CVE-2017-6327: The Symantec Messaging Gateway can encounter a remote code execution issue.
24. CVE-2020-3118: A vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload on an affected device.
25. CVE-2020-8515: DrayTek Vigor devices allow remote code execution as root (without authentication) via shell metacharacters.

The security advisory comes a few weeks after a House Intelligence Committee report issued last month highlighted that federal agencies have some work to do in order to better counter Chinese threats.

"The United States' Intelligence Community has not sufficiently adapted to a changing geopolitical and technological environment increasingly shaped by a rising China," the report said. "Absent a significant realignment of resources, the U.S. government and intelligence community will fail to achieve the outcomes required to enable continued U.S. competition with China on the global stage for decades to come, and to protect the U.S. health and security."