惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

H
Heimdal Security Blog
P
Privacy International News Feed
S
Schneier on Security
P
Proofpoint News Feed
L
Lohrmann on Cybersecurity
Spread Privacy
Spread Privacy
P
Privacy & Cybersecurity Law Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Scott Helme
Scott Helme
K
Kaspersky official blog
大猫的无限游戏
大猫的无限游戏
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
aimingoo的专栏
aimingoo的专栏
Simon Willison's Weblog
Simon Willison's Weblog
S
Securelist
Help Net Security
Help Net Security
B
Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Security Archives - TechRepublic
Security Archives - TechRepublic
云风的 BLOG
云风的 BLOG
The GitHub Blog
The GitHub Blog
N
News and Events Feed by Topic
Hacker News: Ask HN
Hacker News: Ask HN
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
M
MIT News - Artificial intelligence
雷峰网
雷峰网
博客园 - 司徒正美
V
V2EX
AWS News Blog
AWS News Blog
Know Your Adversary
Know Your Adversary
N
News | PayPal Newsroom
T
Tor Project blog
Cisco Talos Blog
Cisco Talos Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
PCI Perspectives
PCI Perspectives
Google DeepMind News
Google DeepMind News
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
U
Unit 42
C
Cybersecurity and Infrastructure Security Agency CISA
P
Palo Alto Networks Blog
G
Google Developers Blog
T
Threat Research - Cisco Blogs
博客园 - Franky
I
InfoQ
D
DataBreaches.Net
爱范儿
爱范儿
Y
Y Combinator Blog
博客园 - 叶小钗
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报

Recorded Future

The Threat Isn’t the Frontier Model Iran-Nexus TAG-182 Disseminates MarkiRAT Surveillance Tool Where Expertise Meets Algorithm: The Insikt Group® Intelligence Edge Evaluating Mexico’s New Cybersecurity Plan The Purchase Scam Tactic Headed for the World Cup | Recorded Future FortiBleed Campaign Exposing Credentials for 73,932 FortiGate Systems The Klue Security Incident and Its Impact on Recorded Future State Digital Surveillance Risk Landscape The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine Cyber-Enabled Maritime Sanctions Evasion Recorded Future Launches Impact and Metrics Dashboard 2026 FIFA World Cup: What Public Safety Officials Need to Know China's Noncombatant Evacuation Operations: 2005–2025 Russia’s Defense-Based Economy Risks Forcing Putin to Fight Wars May 2026 CVE Landscape Why Holistic Sourcing Wins: The Numbers Behind the Recorded Future Advantage Threats to the 2026 FIFA World Cup Remembering Sir Alex Younger Iran Expands Handala Brand to Physical Threats The Vulnerability Flood Is Now a Board Conversation. Here's How to Lead It. At Mythos Speed: A Defender's Playbook for the AI Vulnerability Surge in 2026 April 2026 CVE Landscape Beyond Acceleration and Automation: How AI + Intelligence Changes Cyber Defense NIST NVD Enrichment Policy Change: Prioritizing Vulnerabilities with Attacker Behavior Signals A Complete History of Cybersecurity: From Early Viruses to AI-Powered Threats The Different Types of Payment Fraud and How to Prevent Them Digital Citizenship Glossary: Key Terms Every Internet User Should Know Quantum Risk Explained Threat Activity Enablers: The Backbone of Today’s Threat Landscape Recorded Future Named a Leader in the 2026 Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies. And there’s more. Hacking Embodied AI Working in London at the World’s Largest Intelligence Company Risk Scenarios for the US’s Strategic Pivot Building with AI: Here's What No Briefing Will Tell You Lazarus Doesn't Need AGI The Money Mule Solution: What Every Scam Has in Common From Overwhelmed to Autonomous: Rethinking Threat Intelligence in 2026 Critical minerals and cyber operations Today, trust is the superpower that makes innovation possible AI Hype vs. Reality: Is AI Really Rewriting the Vulnerability Equation? Evolution of Chinese-Language Guarantee Telegram Marketplaces Emerging Enterprise Security Risks of AI From Bazooka to Fake Nikes Your Supply Chain Breach Is Someone Else's Payday 4 Essential Integration Workflows for Operationalizing Threat Intelligence Recorded Future Iran War: Future Scenario and Business Implications A New Way to Buy Recorded Future: Solutions and Packages Built for the 2026 Threat Landscape March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day VIP Credential Monitoring Blog Third-Party Risk Is an Intelligence Operation. It's Time We Treated It Like One. Understanding and Anticipating Venezuelan Government Actions The Iran War: What You Need to Know Day in the Life: Product Manager at Recorded Future Panorama del cibercrimen en América Latina y el Caribe Latin America and the Caribbean Cybercrime Landscape Panorama do cibercrime na América Latina e Caribe Industrialization of the Fraud Ecosystem Blog The Shift: An Era of Quantum Geopolitics ClickFix Campaigns Targeting Windows and macOS 2025 Year in Review: Malicious, Infrastructure 2025 Identity Threat Landscape Report: Inside the Infostealer Economy: Credential Threats in 2025 February 2026 CVE Landscape: 13 Critical Vulnerabilities Mark 43% Drop from January Latin America's Cybersecurity Turning Point: From Reactive Defense to Threat Intelligence Recorded Future Expands Coverage of Scams and Financial Fraud with Money Mule Intelligence from CYBERA January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day Preparing for Russia’s New Generation Warfare in Europe 2025 Cloud Threat Hunting and Defense Landscape GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack Network Intelligence: Your Questions, Global Answers Fragmentation Defined 2025's Threat Landscape. Here's What It Means for 2026 State of Security Report | Recorded Future From 27 Steps to 5: How Recorded Future Reimagined Threat Hunting with Autonomous Threat Operations Rublevka Team: Anatomy of a Russian Crypto Drainer Operation Autonomous Threat Operations in action: Real results from Recorded Future’s own SOC team | Recorded Future PurpleBravo’s Targeting of the IT Software Supply Chain Threat and Vulnerability Management in 2026 Best Ransomware Detection Tools December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity Practitioners Reveal What Makes Threat Intelligence Programs Mature GRU-Linked BlueDelta Evolves Credential Harvesting New ransomware tactics to watch out for in 2026 Digital Threat Detection Tools & Best Practices BlueDelta’s Persistent Campaign Against UKR.NET The $0 Transaction That Signaled a Nation-State Cyberattack Cyber on the Geopolitical, Battlefield: Beyond the, “Big Fourˮ What’s Next for Enterprise Threat Intelligence in 2026 Palestine Action: Operations and Global Network Implications of Russia-India-China Trilateral Cooperation GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October 5 Real-Word Third-Party Risk Examples When the Digital World Turns Physical: The Expanding Role of Threat Intelligence in Executive Protection Critical React2Shell Vulnerability Under Active Exploitation by Chinese Threat Actors The Bug That Won't Die: 10 Years of the Same Mistake The Hidden Cascade: Why Law Firm Breaches Destroy More than Data Intellexa’s Global Corporate Web The Maturity Gap: The Next Frontier in Threat Intelligence Inside the CopyCop Playbook: How to Fight Back in the Age of Synthetic Media AI Malware: Hype vs. Reality
China’s Zero-Day Pipeline: From Discovery to Deployment
2025-12-17 · via Recorded Future

Executive Summary

  • China’s observed use of zero-days has declined since 2023. However, it has expanded its capacity to discover and manage vulnerabilities, signaling a continued effort toward stockpiling exploits for strategic or military advantage.
  • The Data Security Law (DSL) and Provisions on the Management of Network Product Security Vulnerabilities (RMSV) give the Chinese state first access and control over zero-days. Combined with government-backed competitions, incentives, and private contractors, this framework likely sustains one of the world’s largest reserves of exploitable vulnerabilities.
  • The creation of the Information Support Force (ISF) and Cyberspace Force (CSF) signals China’s consolidation of cyber capabilities, likely enabling more effective offensive and defensive cyber operations, with vulnerabilities likely serving as a central resource.
  • Defenders should adopt an “assume breach” posture and build for containment, implementing zero trust and layered defenses to limit attacker movement and impact after an exploit.

Figure 1: How China stockpiles vulnerabilities (Source: Recorded Future)

Analysis

Zero-Days as Strategic Weapons

A zero-day is a previously unknown software flaw for which no patch exists at the time it is discovered or exploited. Once weaponized, it allows adversaries to gain access, escalate privileges, or execute remote commands. These capabilities are especially effective against perimeter and enterprise systems, where a successful compromise can provide initial access and allow attackers to maintain persistence and carry out further cyber actions.

Choosing whether to disclose or keep a zero-day vulnerability is a strategic decision. Governments must balance public safety with the potential intelligence or military value of keeping the flaw secret. In the US, this process is guided by the Vulnerabilities Equities Process (VEP), which is designed to be transparent and generally favors disclosure to help maintain internet security.

China’s Vulnerability Management Regime

China’s vulnerability management system is centralized and led by the state. Its laws, incentives, and institutions work together to feed new exploits and technical capabilities directly to the government, turning software vulnerabilities into strategic assets under state control.

  • Mandatory Reporting

The RMSV (2021) requires that all discovered vulnerabilities be reported to the Ministry of Industry and Information Technology (MIIT) within two days and prohibits disclosure to foreign entities. The Data Security Law (DSL) and National Intelligence Law (NIL) further compel all individuals and organizations to support state security objectives, with strict penalties for non-compliance. Together, these laws grant Beijing first access and complete control over all newly discovered flaws.

  • Incentivizing Compliance

This legal framework is reinforced through financial and professional incentives. The China National Vulnerability Database of Information Security (CNNVD), managed by the Ministry of State Security (MSS), offers researchers and firms monetary rewards, certificates, honorary titles, and preferential access to government contracts. This system encourages compliance by making vulnerability disclosure both mandatory and materially rewarding.

  • Talent Development and Recruitment Pipelines

China combines strict regulations with a well-organized system for developing cybersecurity talent. Competitions such as the Tianfu Cup, Matrix Cup, and QiangWang Cup serve as key recruitment and training platforms for the state’s cyber programs. The 2024 Matrix Cup’s $2.75 million USD prize pool, nearly twice that of Canada’s Pwn2Own, highlights the size of this investment.

  • Private Sector Relationships

    China’s private sector also plays a pivotal role. Major firms such as Qi An Xin, Huawei, Qihoo 360, and NSFocus contribute vulnerabilities and technical expertise directly to the government. Large technology companies also fund or subcontract offensive work to smaller firms, creating a dense ecosystem of start-ups engaged in exploit research and hacking services. The i-SOON leaks (2023) revealed the scale and interconnectedness of this ecosystem: The company sold hack-for-hire services and targeting platforms to government customers while subcontracting work for Qi An Xin and Chengdu 404.

From Discovery to Deployment: Operationalizing China’s Vulnerability Pipeline

This centralized vulnerability ecosystem is producing measurable results, enabling Chinese state-sponsored groups to convert vulnerability discovery into operational access at a speed and scale far beyond that seen in other national programs. A clear manifestation of this is their sustained focus on enterprise and edge technologies, including Fortinet, VMware/ESXi, and Ivanti, where access is durable and often high-privileged, and detection is limited. In 2025, China-linked groups exploited Ivanti VPN and Trimble Cityworks (1, 2) flaws as part of a long-term strategy to remain undetected within networks, expand access, and position themselves for potential critical infrastructure disruption.

China continues to expand its network of CNNVD technical support units (TSUs) and related programs, increasing its overall research base. TSUs are specialized organizations, often universities, state-linked labs, and cybersecurity firms that directly feed vulnerability research and intelligence into the national system. Since 2021, the number of TSUs has increased significantly, broadening the state’s research capacity and deepening its ability to identify and operationalize software flaws at scale.

Figure 2: Number of new CNNVD TSUs by month, June 2021 to July 2025 (Source: Natto Thoughts)

Most vulnerability disclosures to affected vendors and the broader security community still originate from universities, labs, and cybersecurity firms associated with CNNVD, CNVD, and the expanding TSU network. However, even as the ecosystem grows, the overall volume of these disclosures continues to decline, indicating that a larger share of discoveries is now being routed internally rather than published. This suggests that more vulnerabilities are being withheld for state-directed use. Secrecy surrounding hacking competitions is also growing: The Tianfu Cup was not held publicly in 2024, and the 2024 Matrix Cup shared little to no details about discovered exploits. These competitions have historically been major sources of high-quality vulnerabilities, and reduced transparency further aligns with the shift away from open disclosure.

Together, these trends — the rapid expansion of TSUs, the decline in public vulnerability reporting, and the tightening secrecy around exploit-generation events — likely point to a deliberate state strategy that emphasizes centralized stockpiling and selective operational use of vulnerabilities rather than public disclosure.

Strategic Stockpiling and Selective Use

China’s reported use of zero-days declined from twelve in 2023 to five in 2024, and it is responsible for only ten of the 104 zero-day exploits identified globally so far in 2025. While this may partly reflect limited visibility into zero-day deployment and attribution, the trend may also suggest a more selective, strategic approach to when and how its zero-day capabilities are used.

Figure 3: Of the 104 zero-days identified in 2025, ten were attributed to Chinese state-sponsored threat actors (Source: Recorded Future)

Beijing’s control mechanisms under the RMSV and DSL enable it to selectively weaponize or withhold zero-days, preserving its most impactful capabilities for crises or strategic objectives. At the same time, n-day vulnerabilities — older but still unpatched flaws — remain highly effective due to inconsistent global patching.

Using these known flaws allows Chinese operators to gain access to networks and gather intelligence without revealing their zero-day exploits. Overall, this reflects a system designed for long-term preparedness rather than immediate gain.

Military Integration and Strategic Significance

China’s April 2024 military reforms introduced three new divisions within the People’s Liberation Army (PLA), including two centered on cyber and information security:

  • The Information Support Force (ISF), which is responsible for the security and continuity of China’s military networks, data systems, and command infrastructure
  • The Cyberspace Force (CSF), which is dedicated to both offensive and defensive cyber operations

Together, the two units consolidate China’s cyber and information capabilities, which were previously primarily nested under the PLA Strategic Support Force. These units form the backbone of its digital warfighting structure. The restructuring is likely to enhance Beijing’s ability to coordinate kinetic and cyber operations, with zero-days serving as key enablers and potential first-strike tools.

The future use of zero-days will depend on how China decides to pursue its geostrategic goals, such as future unification with Taiwan. However, by compromising critical networks in advance, China can secure persistent access and deploy disruptive cyber effects alongside kinetic operations, as seen in Russia’s coordinated cyber-military campaigns in Ukraine. Chinese state-sponsored Volt Typhoon activity has been widely assessed as fulfilling such a purpose.

Outlook

  • Increased Willingness to Use Zero-Days: As China reduces its reliance on US technology through its “Delete America” campaign, the cost of exploiting Western software will decrease, making zero-day use more attractive in future conflicts over the long term.
  • Expanded Pre-Positioning: Expect continued infiltration of critical infrastructure and enterprise systems through both n-day and zero-day exploits to ensure durable wartime access.
  • Increased N-day Use: The rapid adoption of AI-assisted coding and automation is accelerating the accumulation of software vulnerabilities. This expanding security debt — the accumulation of unpatched and unreviewed vulnerabilities — will give adversaries, including China, a broader and more persistent pool of n-day exploits to weaponize.
  • Evolving Contractor Ecosystem: State-aligned private firms are likely to accelerate automation and AI-assisted vulnerability discovery, thereby expanding the Chinese state’s operational stockpile of viable exploits.

Mitigations

  • Adopt an “Assume Breach” Posture: Implement zero-trust architectures that enforce identity and device verification at every access point. Use Recorded Future® Threat Intelligence to monitor for China-nexus infrastructure and malicious activity, feeding enriched indicators directly into security information and event management (SIEM) and security orchestration, automation, and response (SOAR) workflows.
  • Prioritize Edge and Enterprise Patching: Focus remediation efforts on virtual private networks (VPNs), firewalls, hypervisors, and identity platforms most commonly targeted by China-nexus threat actors. Use Recorded Future Vulnerability Intelligence to track emerging zero-day and n-day threats, prioritize patching by exploitation risk, and validate remediation across critical systems.
  • Detect Post-Exploitation Behavior: Use D3FEND mappings such as Process Access Pattern Analysis (D3-PAPA) and Remote Access Detection (D3-RAD) to identify stealthy follow-on actions. Combine these controls with Recorded Future Attack Surface Intelligence to identify exposed assets and verify that detection coverage extends to externally facing environments.
  • Secure Identities and Access: Leverage Recorded Future Identity Intelligence to detect compromised credentials that may complement exploit-based intrusions.

Risk Scenario

EnerTech Global, a European energy technology firm providing control systems and smart grid software to multiple NATO-aligned countries, becomes the target of a Chinese state-sponsored cyber campaign. Using undisclosed zero-day vulnerabilities, Chinese operators infiltrate EnerTech’s production and customer environments to gather intelligence, manipulate software updates, and pre-position for potential disruption.

First-Order Implications

Chinese threat actors exploit a zero-day in a network management or VPN appliance to gain initial access to EnerTech’s internal systems and engineering networks.

A zero-day in industrial control or software build pipelines is used to insert malicious code into firmware updates distributed to downstream customers.

Organizational Risks:

  • Operational: Compromise of development and production networks halts manufacturing and disrupts customer support operations.
  • Legal: Breach of export-control and cybersecurity regulations triggers EU and US compliance investigations.
  • Brand: Public confirmation of a “state-backed breach” undermines trust with government and defense customers dependent on EnerTech’s technology.

Second-Order Implications

Attackers use stolen code-signing certificates to distribute trojanized software updates to energy utilities across Europe. Collected intelligence on grid infrastructure is used to map potential disruption points for future contingency operations.

Organizational Risks:

  • Operational: Some utilities begin to see irregularities in their operational technology (OT) environments, including unexpected behavior in grid-monitoring tools, delayed telemetry updates, and unexplained authentication failures on systems that rely on EnerTech software.
  • Brand: EnerTech’s reputation deteriorates as customers and regulators question its software assurance and supply chain controls.
  • Legal: Disclosure of tampered software triggers international incident response coordination and potential export-license suspension.

Third-Order Implications

Persistent access enables China to remotely sabotage or disable systems during a geopolitical crisis, thereby amplifying disruption across allied power grids. Stolen intellectual property is used by Chinese competitors to replicate EnerTech’s industrial software, undercutting global market bids.

Organizational Risks:

  • Competitive: Loss of proprietary code and technology enables China-based competitors to dominate regional procurement markets.
  • Brand: Association with a high-profile critical infrastructure breach erodes long-term credibility in both commercial and government sectors.
  • Legal: Multinational investigations and sanctions create enduring compliance exposure and financial penalties.

Further Reading