The emergence of a distinct vulnerability disclosure ecosystem within China has introduced a complex layer to the global threat landscape.
Unlike the centralized CVE system used internationally, China maintains two separate databases—the CNVD and CNNVD—which operate with different disclosure timelines and priorities.
This dual structure has allowed for the quiet emergence of vulnerabilities that remain hidden from Western defenders for extended periods.
The primary attack vector here is informational asymmetry; by delaying the public release of vulnerability data, threat actors can exploit security gaps in popular software like Microsoft OneDrive before global patch cycles can react.
The impact of this disclosure gap is significant for enterprise security teams who rely on timely data to prioritize remediation.
When vulnerabilities are published in Chinese databases months before they appear in the U.S. National Vulnerability Database (NVD), it creates a window of exposure where organizations are blind to active threats.
For instance, a Microsoft OneDrive DLL hijacking vulnerability was cataloged in Chinese systems long before a comparable CVE was fully documented internationally.
This delay allows attackers to weaponize these “Red Vulns” against unsuspecting targets, using the lag in information to bypass standard detection protocols and establish persistence on compromised networks.
Bitsight analysts identified these discrepancies after conducting a comprehensive review of the publication timestamps across both ecosystems.
.webp)
Their research highlights that while the CNNVD largely mirrors the MITRE CVE list, the CNVD often operates with unique entries and independent timelines.
.webp)
This illustrates the comparative growth of these databases, showing how the volume of vulnerabilities tracked by Chinese authorities has scaled to match global standards.
However, the critical finding is not just the volume, but the strategic latency introduced in the disclosure process, which effectively turns vulnerability data into a national security asset rather than a public good.
Strategic Disclosure Delays
The most concerning aspect of this ecosystem is the systematic delay in releasing high-severity vulnerability details to the broader public.
This persistence tactic effectively masks the infection mechanism of new exploits, leaving global defenders without the necessary Indicators of Compromise (IOCs) to detect early-stage attacks.
.webp)
This visualizes the “arcs of delays” between the submission of a vulnerability and its public release, revealing patterns where sensitive data is held back.
Furthermore, a significant percentage of CNVD entries do not map directly to a CVE immediately, creating a “shadow” inventory of security flaws.
Besides this it further emphasizes this by comparing severity distributions, showing how risk ratings can differ across borders.
To mitigate this, security teams must broaden their intelligence sources beyond NVD to include these international databases for a more complete threat picture.
| CVE / ID | Vulnerability Name | Severity | Key Observation |
|---|---|---|---|
| CVE-2024-33698 | Generic Vulnerability | High | Mapped to CNVD entry; published later in CVE. |
| CNVD-2024-xxxxx | OneDrive DLL Hijacking | High | Vaguely similar to CVE-2021-40444 but published earlier. |
| CNVD-202-35587 | Bitcoin Core DoS | Medium | Example of “Event-based” vulnerability in CNVD. |
| CVE-2021-40444 | MSHTML RCE | Critical | Used as a reference point for delay analysis. |
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
