Did a Vendor's Leak Help Attackers Exploit Microsoft's SharePoint Servers?

The vulnerability-watching "Zero Day Initiative" was started in 2005 as a division of 3Com, then acquired in 2015 by cybersecurity company Trend Micro, according to Wikipedia.

But the Register reports today that the initiative's head of threat awareness is now concerned about the source for that exploit of Microsoft's Sharepoint servers: How did the attackers, who include Chinese government spies, data thieves, and ransomware operators, know how to exploit the SharePoint CVEs in such a way that would bypass the security fixes Microsoft released the following day? "A leak happened here somewhere," Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative, told The Register. "And now you've got a zero-day exploit in the wild, and worse than that, you've got a zero-day exploit in the wild that bypasses the patch, which came out the next day...."

Patch Tuesday happens the second Tuesday of every month — in July, that was the 8th. But two weeks before then, Microsoft provides early access to some security vendors via the Microsoft Active Protections Program (MAPP). These vendors are required to sign a non-disclosure agreement about the soon-to-be-disclosed bugs, and Microsoft gives them early access to the vulnerability information so that they can provide updated protections to customers faster....

One researcher suggests a leak may not have been the only pathway to exploit. "Soroush Dalili was able to use Google's Gemini to help reproduce the exploit chain, so it's possible the threat actors did their own due diligence, or did something similar to Dalili, working with one of the frontier large language models like Google Gemini, o3 from OpenAI, or Claude Opus, or some other LLM, to help identify routes of exploitation," Tenable Research Special Operations team senior engineer Satnam Narang told The Register. "It's difficult to say what domino had to fall in order for these threat actors to be able to leverage these flaws in the wild," Narang added.

Nonetheless, Microsoft did not release any MAPP guidance for the two most recent vulnerabilities, CVE-2025-53770 and CVE-2025-53771, which are related to the previously disclosed CVE-2025-49704 and CVE-2025-49706. "It could mean that they no longer consider MAPP to be a trusted resource, so they're not providing any information whatsoever," Childs speculated. [He adds later that "If I thought a leak came from this channel, I would not be telling that channel anything."]

"It also could mean that they're scrambling so much to work on the fixes they don't have time to notify their partners of these other details.

Alternative possibility

[gweihir]

The patch by Microsoft may have been laughably primitive and did not really fix things. They did that often enough before. The attackers may just have anticipated that (no AI needed) from past observations and may have developed their exploit one or two steps further than needed in anticipation of Microsoft doing only the absolute minimum.

Not saying this is what happened, but it may well be. It is really time to stop assuming Microsoft does anything right in the security space.

Re:

[burni2]

Interesting point, I would it formulate a bit differently,

when Microsoft issues a patch that is exploited just right after that,
then this patch did just cover up the vulnerability without either fixing the core problem, or introducing another vulnerability.

And here I would say Microsoft deserves the full blame,
because one thing that needs to be understood, is that there are many many talented people outthere doing reverse engineering, code analysis, as well as exploit creation, and just by the numbers China

Re:Alternative possibility

[gweihir]

Well, you are certainly more careful in how to phrase it. But I really thing the time to go easy on Microsoft is long past. They had a ton of 2nd, 3rd, 4th and more chances and they continue to fuck it up. This is not even a pattern anymore, this is a fundamental incapability we are seeing. Yes, there are others that do not do much better. But the cost to society is just getting far too high and this has to stop.

Re:

[gargeug]

Especially when they are the golden child of the US government's information systems.

From what I am seeing, the early 2020s will be the high water mark of the "cloud" and things are just going to start reverting back to closed down networks. There is too much at risk for companies with sensitive designs, and too many companies like Microsoft attached to their secure clouds that can open up a leak path.

An absolutely real national security risk is the push to the cloud of common design and manufacturing softw

Re:

[fsharp]

I am not sure if corporate leaders really consider this that seriously. They are more worried about the short-term. Asking them to re-invest money to insource just hurts their quarterly and annual financial statements. My guess is that top level execs figure if something bad happens, they may get fired but they will leave with a nice payout and move on to some other company. Their pitch is always, I reduced costs and raised quarterly returns. Sadly, information security and cyber-security are seen as cost

Re:

[gweihir]

At least with them spread out they have to decide which target to put their tiger team on. Now it is easy, just go after that big one with everything in it.

Indeed. And with it spread out, there is a good chance the others will be warned when, say, 5% have gotten successfully hacked. "All eggs - one basket" is about the most abysmally stupid security design you can do. All just to make a few more bucks.

Re:

[laughingskeptic]

Everyone knows this and yet there are 8,000 to 16,000 SharePoint servers exposed to the internet ... this is not Microsoft's fault. I know of a large multi-national that is responsible for several of these. They stand up SharePoint servers for public content for web sites required by large engineering projects for community outreach types of stuff. So no corporate secrets, but it is still silly to give hackers a foothold in a system as complicated as SharePoint which is what you are begging for when you

Re:

[gweihir]

Everyone knows this and yet there are 8,000 to 16,000 SharePoint servers exposed to the internet ... this is not Microsoft's fault.

I disagree. It clearly is mostly Microsoft's fault. Did they tell people that SharePoint servers should never be Internet-reachable? Did they secure the software properly? Did they provide security patches that work? No on all counts AFAIK.

Yes, there are too many morons that place too much trust in the crap that Microsoft produces, but Microsoft is still producing crap and that is the root-cause here.

Re:

[tlhIngan]

I don't see it as a vendor leak. It was chaining two flaws that were pretty obvious.

The first flaw was an authentication bypass - which was so primitive it's a wonder why it's a 2025 CVE (it relied on "referer" headers).

The second flaw is related to deserialization of data, and anyone who does this knows it's something extremely tricky and is very insecure. Deserialization of any object is an inherently risky task, and it's something that's stymied experienced developers for 50+ years (back when it was a si

Re:

[gweihir]

I don't see it as a vendor leak. It was chaining two flaws that were pretty obvious.

The first flaw was an authentication bypass - which was so primitive it's a wonder why it's a 2025 CVE (it relied on "referer" headers).

Seriously? Incredible. That is an absolute standard example for "exceptionally dumb stuff you should never, ever do".

The second flaw is related to deserialization of data, and anyone who does this knows it's something extremely tricky and is very insecure. Deserialization of any object is an inherently risky task, and it's something that's stymied experienced developers for 50+ years (back when it was a simpler "parse this file", that later grew into "handle this network protocol").

Yes. I just tell my IT Security students "Do not do this. It cannot be reliably secured." It is easy to do though, and hence dumb developers that do not understand security keep doing it.

Chinese Engineers

[Sauce Tin]

Surely it has nothing to do with all of the earlier posts about Chinese engineers being used by Microsoft. And China *totally* wouldn't take advantage of that.

Re:

[Sauce Tin]

Imagine being so mentally ill you somehow tie this back to US politics.

Re:

[gweihir]

That obviously cannot be it. No. No. Really not. And there for sure are no Chinese backdoors into MS infrastructure left and right and no Chinese spies that could leak stuff or tell the attackers how Microsoft does things. Not possible.

As long as we are all just speculating

[DarkOx]

Going after the ASP.NET keys is not an unknown technique. It may not be popular bug bounty fodder because in most cases the attack will be highly application specific but they are target on anyone doing targeted operations radar.

Once you have that you have a vector to send serialized payloads that are encrypted not by TLS but inside the protocol envelope. That means it will be opaque even to relatively high-end IDS/IPS/WAF solutions. Importantly you can use it while making requests to resources paths that are likely normally seen, key point monitoring and detection is not going to see the channel even if it is pretty darn good.

Now imagine you could discover and develop such an exploit offline in your own share point environment, it works unauthenticated and across a range of versions, pretty nice tool to go after some high value targets until...

A patch comes out. You look at the patch, its easy even easier than usual to reverse engineer it with or without LLMs tools, because you already understand the problem. You know you can evade it and get an exploit chain going again.. fine but now it has all sorts of eyes on it. Maybe not something you want to risk using anymore depending on exactly what kind of operator you are and what your real objectives are but... you do have an clandestine operation to fund, and the ransomware boys will buy an exploit like that for middle six figures... or maybe you are the DPRK or something and everyone ones you do ransomware to acquire money and maybe just disrupt your enemies economies already, perhaps your 'A' team turns over the details to the 'B' team to make some bank with and embarrass the US government without revealing the 'A' team's real capabilities or operations.

We absolutely know patches get reversed and exploits generated from them to attack the slow to patch. Plenty of history of that, but it is not hard to imagine that certain threat groups were holding onto a high value exploit like this given the range of targets and just saw it got "burned" went for getting as much residual value as possible too.

Microsoft is busy

[PPH]

It also could mean that they're scrambling so much to work on the fixes they don't have time to notify their partners of these other details.

It's not just that. They are right in the middle of a major system software release [theregister.com].

Too many trusted vendors in MAPP

[CommunityMember]

The MAPP program has somewhere around a hundred vendors. The expectation that a hundred different vendors, with all of their employees that have access to the information, may not have a leak (especially when such a leak is potentially lucrative) is beyond any reasonable expectation. Microsoft has some hard decisions ahead as to whether to continue the program as it exists today (do they do nothing, or do they share less, or do they require all the vendors employees that have access to the information to

Microsoft = Insecure

[polyp2000]

Dont come running to me if you are choosing an operating system or software stack from a vendor ( microsoft ) where security and protection are not a standard part of the operating system and must be paid for an additional fee. That means its insecure by design.