Beyond CVE China’s Dual Vulnerability Databases Reveal a Different Disclosure Timeline

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

The emergence of a distinct vulnerability disclosure ecosystem within China has introduced a complex layer to the global threat landscape.

Unlike the centralized CVE system used internationally, China maintains two separate databases—the CNVD and CNNVD—which operate with different disclosure timelines and priorities.

This dual structure has allowed for the quiet emergence of vulnerabilities that remain hidden from Western defenders for extended periods.

The primary attack vector here is informational asymmetry; by delaying the public release of vulnerability data, threat actors can exploit security gaps in popular software like Microsoft OneDrive before global patch cycles can react.

The impact of this disclosure gap is significant for enterprise security teams who rely on timely data to prioritize remediation.

When vulnerabilities are published in Chinese databases months before they appear in the U.S. National Vulnerability Database (NVD), it creates a window of exposure where organizations are blind to active threats.

For instance, a Microsoft OneDrive DLL hijacking vulnerability was cataloged in Chinese systems long before a comparable CVE was fully documented internationally.

This delay allows attackers to weaponize these “Red Vulns” against unsuspecting targets, using the lag in information to bypass standard detection protocols and establish persistence on compromised networks.

Bitsight analysts identified these discrepancies after conducting a comprehensive review of the publication timestamps across both ecosystems.

Example entries for CNNVD and CNVD respectively (Source – Bitsight)

Their research highlights that while the CNNVD largely mirrors the MITRE CVE list, the CNVD often operates with unique entries and independent timelines.

Growth of CNVD and CNNVD from earliest publication date (Source – Bitsight)

This illustrates the comparative growth of these databases, showing how the volume of vulnerabilities tracked by Chinese authorities has scaled to match global standards.

However, the critical finding is not just the volume, but the strategic latency introduced in the disclosure process, which effectively turns vulnerability data into a national security asset rather than a public good.

Strategic Disclosure Delays

The most concerning aspect of this ecosystem is the systematic delay in releasing high-severity vulnerability details to the broader public.

This persistence tactic effectively masks the infection mechanism of new exploits, leaving global defenders without the necessary Indicators of Compromise (IOCs) to detect early-stage attacks.

Arcs of delays between open and submission times when the delay is more than a week (Source – Bitsight)

This visualizes the “arcs of delays” between the submission of a vulnerability and its public release, revealing patterns where sensitive data is held back.

Furthermore, a significant percentage of CNVD entries do not map directly to a CVE immediately, creating a “shadow” inventory of security flaws.

Besides this it further emphasizes this by comparing severity distributions, showing how risk ratings can differ across borders.

To mitigate this, security teams must broaden their intelligence sources beyond NVD to include these international databases for a more complete threat picture.

CVE / ID Vulnerability Name Severity Key Observation
CVE-2024-33698 Generic Vulnerability High Mapped to CNVD entry; published later in CVE.
CNVD-2024-xxxxx OneDrive DLL Hijacking High Vaguely similar to CVE-2021-40444 but published earlier.
CNVD-202-35587 Bitcoin Core DoS Medium Example of “Event-based” vulnerability in CNVD.
CVE-2021-40444 MSHTML RCE Critical Used as a reference point for delay analysis.

Follow us on Google News, LinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.