This week, the NSA and CISA published a joint cybersecurity advisory detailing 25 CVEs that Chinese state-sponsored threat actors are actively exploiting. If you work in software and haven’t read it, you should. Not because the vulnerabilities are exotic — quite the opposite. The uncomfortable truth is that nearly every entry on the list has had patches available for months or even years. This isn’t a story about sophisticated zero-days. It’s a story about the basics.
The List That Should Keep You Up at Night#
The advisory covers vulnerabilities across a wide range of products: Microsoft Exchange, Citrix ADC, Pulse Secure VPN, F5 BIG-IP, Atlassian Confluence, and several others. Here are some of the notable entries:
- CVE-2019-19781 (Citrix ADC) — Disclosed December 2019, exploited in the wild within weeks. Still being targeted in October 2020.
- CVE-2020-5902 (F5 BIG-IP) — Disclosed July 2020, CVSS 9.8. Exploitation began almost immediately.
- CVE-2019-11510 (Pulse Secure VPN) — Disclosed April 2019. Over a year old and still being used.
- CVE-2020-0688 (Microsoft Exchange) — February 2020 patch. Eight months later, still an active attack vector.
The pattern is clear: public disclosure, patch release, and then a race between defenders applying the fix and attackers exploiting those who haven’t. The attackers are winning that race far too often.
Why Patching Remains So Hard#
It’s easy to sit in an armchair and say “just patch your systems.” Anyone who’s managed production infrastructure knows it’s not that simple. But we need to be honest about why.
Legacy dependencies: Many organizations run software that requires specific versions of underlying platforms. Patching the VPN appliance might break compatibility with the legacy ERP system that generates revenue. I’ve been in those meetings where the risk of patching is weighed against the risk of not patching, and the business case often wins in the wrong direction.
Testing overhead: Proper patch validation requires staging environments that mirror production. For complex enterprises, this means weeks of testing before a patch can be rolled out. Meanwhile, the vulnerability is being actively exploited.
Visibility gaps: You can’t patch what you don’t know you have. Shadow IT, forgotten appliances, acquired company infrastructure that was never fully inventoried — these are the systems that sit unpatched for years. The Pulse Secure VPNs still being exploited aren’t in well-managed environments; they’re the ones that fell off someone’s radar.
Update fatigue: Between OS patches, application updates, firmware updates, and security advisories from dozens of vendors, IT teams are drowning in patches. Prioritization is essential but imperfect. The CVE scoring system helps, but a CVSS score of 9.8 doesn’t automatically mean your team will get to it this sprint.
The Supply Chain Angle#
What caught my attention in the advisory is the inclusion of several network infrastructure products — VPN concentrators, application delivery controllers, load balancers. These are the devices that sit at the perimeter of networks and are, by definition, exposed to the internet. They’re also the devices most likely to be managed by a different team than the one responsible for application security.
This is the supply chain problem in microcosm. Your application code might be secure, your containers might be scanned, your CI/CD pipeline might enforce security gates — but if the VPN appliance in front of it all has a year-old unpatched RCE vulnerability, none of that matters.
The advisory also lists CVEs in Apache Struts (CVE-2017-5638, the Equifax breach vulnerability from 2017) and Confluence Server. These are application-layer vulnerabilities in software that many organizations deploy internally without the same patching discipline they apply to operating systems.
What To Actually Do About It#
Reading advisories like this can feel overwhelming, but there are concrete steps:
Asset inventory first: You cannot secure what you cannot see. If you don’t have a comprehensive, up-to-date inventory of internet-facing assets and their software versions, that’s job number one. Tools like Shodan can help you discover what your organization has exposed.
Prioritize by exposure: Not all of the 25 CVEs are equally relevant to every organization. Focus on what’s internet-facing and what’s in your stack. Cross-reference the advisory against your inventory.
Automate where possible: Configuration management tools (Ansible, Puppet, Chef) and infrastructure-as-code practices reduce the time from “patch available” to “patch deployed.” If patching still involves manual SSH sessions and maintenance windows scheduled by email, that’s a process problem.
Assume breach: Given the length of time these vulnerabilities have been exploited, it’s worth assuming that if you had an unpatched system, it may already be compromised. Incident response planning and detection capabilities (logging, monitoring, EDR) are as important as patching.
My Take: This Is a Governance Failure#
I’ve been in this industry long enough to know that the response to advisories like this will follow the usual pattern: a week of urgency, a flurry of patching activity, and then a slow return to the status quo. The next advisory will list different CVE numbers but the same underlying problem.
The root cause isn’t technical — it’s organizational. Patch management is a solved problem technically. We have the tools, the automation, the processes. What we lack is the governance framework that gives security teams the authority and resources to enforce timely patching, even when it’s inconvenient for the business.
State-sponsored actors are not going to wait for your change management board to meet. The 25 CVEs in this advisory are the known ones being exploited right now. The question isn’t whether your organization has vulnerabilities — it’s whether you know about them and have a credible plan to address them.
If this advisory prompts one thing in your organization, let it be an honest assessment of your patching posture. Not the patching posture you report in compliance audits, but the real one.