China-linked hackers targeting UK infrastructure within days of vulnerabilities being exposed, threat report warns
China weaponising vulnerabilities within days as cyber activity surges 38%, report warns
China-linked hackers are exploiting newly disclosed software vulnerabilities within days of publication, as state-backed cyber activity accelerates at pace, according to a major new global threat report.
Listen to this article
The 2026 Global Threat Report by CrowdStrike warns that China-nexus operations increased by 38% in 2025, with logistics companies seeing an 85% rise in targeting compared to the previous year .
The report describes a systematic preference among China-linked groups for attacking internet-facing “edge devices” such as VPN appliances, firewalls and gateways to gain initial access to corporate networks.
In 40% of cases where China-nexus actors exploited a vulnerability during an intrusion, the target was an edge device . These systems are often poorly monitored and inconsistently patched, making them attractive entry points for long-term intelligence operations.
Researchers found that Chinese state-aligned actors are now weaponising vulnerabilities with remarkable speed. In multiple cases during 2025, exploit code was deployed within days of public disclosure.
For example, one China-linked group exploited a SQL injection vulnerability six days after proof-of-concept code was published. In another case, two separate actors deployed exploits just two days after disclosure of a deserialisation flaw known as “React2Shell” .
CrowdStrike assesses “with high confidence” that China-nexus adversaries maintain dedicated resources to monitor vulnerability disclosures and rapidly develop operational exploits .
The strategy prioritises speed over operational secrecy, exploiting the short window between disclosure and patching. That window is shrinking.
Read more: Russia’s hackers have the UK in their sights as the Kremlin steps up cyber war, experts tell LBC
The report highlights cases where Chinese-linked actors maintained persistent access for months or even years after initial compromise.
In one intrusion, an adversary retained access for 22 months after exploiting edge infrastructure . Investigators say this reflects intelligence collection objectives rather than smash-and-grab attacks.
Sectors most heavily targeted included telecommunications, financial services, logistics, legal and government entities, aligning with strategic intelligence priorities.
China-nexus activity targeting telecom, technology, legal, government, academic and critical infrastructure sectors collectively increased 34% year-on-year .
The findings suggest a maturing operational tempo among China-linked groups, with edge device exploitation becoming a preferred route for stealthy access.
Edge infrastructure frequently lacks endpoint detection tools, offers limited logging visibility and may not be patched promptly. That combination provides attackers with both immediate access and reduced risk of detection.
The report warns that organisations may need to prioritise patching internet-facing systems within 72 hours of critical vulnerability disclosure to reduce exposure.
As geopolitical tensions continue and enterprise systems become more distributed, the perimeter itself is becoming the battlefield.