Security Experts:

Connect with us

Hi, what are you looking for?



China May Delay Vulnerability Disclosures For Use in Attacks

The NSA and CIA exploit leaks have thrown the spotlight on US government stockpiles of 0-day exploits — and possibly led to this week’s government declassification of the Vulnerabilities Equities Policy (VEP) process used to decide whether to disclose or retain the exploits it discovers.

The NSA and CIA exploit leaks have thrown the spotlight on US government stockpiles of 0-day exploits — and possibly led to this week’s government declassification of the Vulnerabilities Equities Policy (VEP) process used to decide whether to disclose or retain the exploits it discovers.

There is no doubt that other nations also hold stockpiles of exploits; but there has been little public information on this. While not being a stockpile per se, Recorded Future has today published research suggesting that China delays disclosure of known critical vulnerabilities, sometimes to enable their immediate use by APT groups with probable Chinese government affiliation.

Today’s publication has spun out of earlier research demonstrating that China’s national vulnerability database (CNNVD) — which is run by the Chinese Ministry of State Security (MSS) — is generally faster at publishing vulnerability details than its U.S. equivalent, the NVD. In a few cases, however, it is considerably slower. These ‘outliers’ have now been analyzed by Recorded Future with surprising results.

The research takes a close look at two particular vulnerabilities that were, unusually, published by the U.S. NVD much sooner than by China’s CNNVD. The first is CVE-2017-0199 — the exploit used in the WannaCry and NotPetya outbreaks. Details were published by the NVD on April 12, 2017; but were not published by CNNVD until more than 50 days later (June 7, 2017). The WannaCry outbreak, generally attributed to North Korean hackers, occurred between these two dates.

However, the researchers also point to Proofpoint’s analysis of Chinese threat actors known as TA459 using the same vulnerability in the same timeframe against military and aerospace organizations in Russia and Belarus. “It is likely,” suggests Recorded Future, “that the publication lag for CVE-2017-0199 could have been affected by the MSS which wanted to buy time for the vulnerability to be exploited in its operations or on behalf of another Chinese state-sponsored actor.”

The second ‘outlier’ analyzed by the researchers concerns CVE-2016-10136 and CVE-2016-10138, two vulnerabilities in Android software developed by a company named Shanghai Adups Technology. Kryptowire researchers reported in November 2016 that these vulnerabilities amount to a backdoor in certain Android phones resulting in the transmission of text messages, contact lists, call logs, location information, and other data to a Chinese server. 

Details were published by NVD in January 2017, two months after the vulnerability became public knowledge. CNNVD took another eight months before publishing a much less detailed description of the vulnerability. “The systems with these backdoors were overwhelmingly located in China, CNNVD is largely followed and consumed by Chinese businesses and citizens, and the MSS has a mission to collect domestic intelligence. While we cannot determine with certainty that the MSS was exploiting this vulnerability, we believe this is another example of likely MSS interference in the CNNVD publication process.”

In total, the researchers analyzed nearly 300 different CVEs that fell outside of the statistical norm for vulnerability reporting in China. “What we discovered,” they say, “were numerous clear examples of unexplainable behavior in vulnerability reporting by CNNVD, and cases where we believe the MSS likely have interfered to delay publication.”

This is not an example of stockpiling 0-day exploits in the same way as the NSA and the CIA have stockpiled exploits, but are indications that China sometimes delays publication of details either while it is already using the exploits, or to possibly allow for the rapid use of them. 

“Our analysis of these critical statistical deviations highlights why an intelligence service should not manage the vulnerability publication process — it is impossible for an intelligence service to equally uphold the mandates for both vulnerability reporting (transparency) and intelligence operations (secrecy). Our analysis of this dataset demonstrates that in China, one mandate is typically sacrificed — that of transparency.”

This is in sharp contrast to the separation of vulnerability reporting away from the intelligence agencies in the U.S.; and the U.S. attempt this week to increase the transparency over its approach towards vulnerabilities.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.