All these vulnerabilities are well known and patches have been released for them long ago. Alas, not all users and companies update their software on time, and exploits are also freely available for these bugs.
The NSA notes that many of these problems are exploited not only by Chinese hackers, but are part of the arsenal of ransomware operators, smaller hack groups, and other "government" hackers, including those from Russia and Iran.
“Most of the vulnerabilities listed below can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks,” the NSA explains.
The list of vulnerabilities itself is as follows:
1) CVE-2019-11510: A remote attacker can, without authentication, send a specially prepared URI to the Pulse Secure VPN servers to read an arbitrary file. A bug can lead to disclosure of keys or passwords.
2) CVE-2020-5902: Traffic Management User Interface (TMUI) on F5 BIG-IP proxy servers and load balancers is vulnerable to an RCE bug that allows remote execution of arbitrary code and complete compromise of the device.
3) CVE-2019-19781: Citrix Application Delivery Controller (ADC) systems and company gateways are vulnerable to a directory traversal issue that could lead to remote execution of arbitrary code without any credentials. By combining these problems, you can completely compromise Citrix systems.
4, 5 and 6) CVE-2020-8193, CVE-2020-8195, CVE-2020-8196: Another set of bugs in gateways and Citrix ADC. These problems are also dangerous for SDWAN WAN-OP. Vulnerabilities allow unauthenticated access to certain URL endpoints and lead to information disclosure of low privileged users.
7) CVE-2019-0708 (aka BlueKeep): RCE vulnerability in Remote Desktop Services on Windows systems.
8) CVE-2020-15505: An RCE vulnerability in MobileIron MDM that allows remote attackers to execute arbitrary code and hijack remote servers.
nine) CVE-2020-1350 (aka SIGRed): An RCE vulnerability on Windows Domain Name System servers, which boils down to the fact that they cannot properly process requests.
ten) CVE-2020-1472 (aka Zerologon): a vulnerability that relies on a weak cryptographic algorithm used in the Netlogon authentication process. Allows you to impersonate any computer on the network during authentication on a domain controller, disable security mechanisms; change passwords in the Active Directory domain controller.
eleven) CVE-2019-1040: A remote MitM attacker could bypass NTLM MIC (Message Integrity Check) protection in Microsoft Windows.
12) CVE-2018-6789: Sending a handcrafted Exim message may cause a buffer overflow. It can be used for remote code execution and hijacking of mail servers.
thirteen) CVE-2020-0688: RCE vulnerability in Microsoft Exchange related to incorrect handling of objects in memory.
fourteen) CVE-2018-4939: Some versions of Adobe ColdFusion are affected by the Deserialization of Untrusted Data vulnerability. Successful exploitation of a bug can lead to arbitrary code execution.
fifteen) CVE-2015-4852: The WLS Security component in Oracle WebLogic 15 Server allows remote attackers to execute arbitrary commands by creating a serialized Java object.
sixteen) CVE-2020-2555: Oracle Coherence contains a bug in Oracle Fusion that allows an unauthenticated attacker with network access via T3 to compromise Oracle Coherence.
17) CVE-2019-3396: The Widget Connector macro in Atlassian Confluence 17 Server allows remote hackers to perform path traversal and remote code execution on Confluence Server or Data Center using server-side template injection.
eighteen) CVE-2019-11580: An attacker could send requests to Atlassian Crowd or Crowd Data Center and exploit this vulnerability to install arbitrary plugins that would eventually execute remote code.
19) CVE-2020-10189: Zoho ManageEngine Desktop Central allows remote code execution due to deserialization of untrusted data.
20) CVE-2019-18935: Progress Telerik UI for ASP.NET AJAX contains a .NET deserialization vulnerability. Exploitation can lead to remote code execution.
21) CVE-2020-0601 (aka CurveBall): Spoofing bug is present in Windows CryptoAPI (Crypt32.dll) during the validation of Elliptic Curve Cryptography (ECC) certificates. An attacker can use a fake certificate to sign the code of malicious executable files, making it appear as if the malware comes from a trusted, legitimate source.
22) CVE-2019-0803: A privilege escalation vulnerability in Windows where Win32k does not correctly handle objects in memory.
23) CVE-2017-6327: RCE vulnerability in Symantec Messaging Gateway.
24) CVE-2020-3118: A vulnerability found in the Cisco IOS XR Software implementation of the Cisco Discovery Protocol allows an unauthenticated, nearby attacker to execute arbitrary code or force a reboot of a vulnerable device.
25) CVE-2020-8515: DrayTek Vigor devices allow remote code execution as root (without authentication) using shell metacharacters.