Did a Vendor's Leak Help Attackers Exploit Microsoft's SharePoint Servers? (theregister.com) 10
The vulnerability-watching "Zero Day Initiative" was started in 2005 as a division of 3Com, then acquired in 2015 by cybersecurity company Trend Micro, according to Wikipedia.
But the Register reports today that the initiative's head of threat awareness is now concerned about the source for that exploit of Microsoft's Sharepoint servers: How did the attackers, who include Chinese government spies, data thieves, and ransomware operators, know how to exploit the SharePoint CVEs in such a way that would bypass the security fixes Microsoft released the following day? "A leak happened here somewhere," Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative, told The Register. "And now you've got a zero-day exploit in the wild, and worse than that, you've got a zero-day exploit in the wild that bypasses the patch, which came out the next day...."
Patch Tuesday happens the second Tuesday of every month — in July, that was the 8th. But two weeks before then, Microsoft provides early access to some security vendors via the Microsoft Active Protections Program (MAPP). These vendors are required to sign a non-disclosure agreement about the soon-to-be-disclosed bugs, and Microsoft gives them early access to the vulnerability information so that they can provide updated protections to customers faster....
One researcher suggests a leak may not have been the only pathway to exploit. "Soroush Dalili was able to use Google's Gemini to help reproduce the exploit chain, so it's possible the threat actors did their own due diligence, or did something similar to Dalili, working with one of the frontier large language models like Google Gemini, o3 from OpenAI, or Claude Opus, or some other LLM, to help identify routes of exploitation," Tenable Research Special Operations team senior engineer Satnam Narang told The Register. "It's difficult to say what domino had to fall in order for these threat actors to be able to leverage these flaws in the wild," Narang added.
Nonetheless, Microsoft did not release any MAPP guidance for the two most recent vulnerabilities, CVE-2025-53770 and CVE-2025-53771, which are related to the previously disclosed CVE-2025-49704 and CVE-2025-49706. "It could mean that they no longer consider MAPP to be a trusted resource, so they're not providing any information whatsoever," Childs speculated. [He adds later that "If I thought a leak came from this channel, I would not be telling that channel anything."]
"It also could mean that they're scrambling so much to work on the fixes they don't have time to notify their partners of these other details.
But the Register reports today that the initiative's head of threat awareness is now concerned about the source for that exploit of Microsoft's Sharepoint servers: How did the attackers, who include Chinese government spies, data thieves, and ransomware operators, know how to exploit the SharePoint CVEs in such a way that would bypass the security fixes Microsoft released the following day? "A leak happened here somewhere," Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative, told The Register. "And now you've got a zero-day exploit in the wild, and worse than that, you've got a zero-day exploit in the wild that bypasses the patch, which came out the next day...."
Patch Tuesday happens the second Tuesday of every month — in July, that was the 8th. But two weeks before then, Microsoft provides early access to some security vendors via the Microsoft Active Protections Program (MAPP). These vendors are required to sign a non-disclosure agreement about the soon-to-be-disclosed bugs, and Microsoft gives them early access to the vulnerability information so that they can provide updated protections to customers faster....
One researcher suggests a leak may not have been the only pathway to exploit. "Soroush Dalili was able to use Google's Gemini to help reproduce the exploit chain, so it's possible the threat actors did their own due diligence, or did something similar to Dalili, working with one of the frontier large language models like Google Gemini, o3 from OpenAI, or Claude Opus, or some other LLM, to help identify routes of exploitation," Tenable Research Special Operations team senior engineer Satnam Narang told The Register. "It's difficult to say what domino had to fall in order for these threat actors to be able to leverage these flaws in the wild," Narang added.
Nonetheless, Microsoft did not release any MAPP guidance for the two most recent vulnerabilities, CVE-2025-53770 and CVE-2025-53771, which are related to the previously disclosed CVE-2025-49704 and CVE-2025-49706. "It could mean that they no longer consider MAPP to be a trusted resource, so they're not providing any information whatsoever," Childs speculated. [He adds later that "If I thought a leak came from this channel, I would not be telling that channel anything."]
"It also could mean that they're scrambling so much to work on the fixes they don't have time to notify their partners of these other details.
Alternative possibility (Score:3, Interesting)
The patch by Microsoft may have been laughably primitive and did not really fix things. They did that often enough before. The attackers may just have anticipated that (no AI needed) from past observations and may have developed their exploit one or two steps further than needed in anticipation of Microsoft doing only the absolute minimum.
Not saying this is what happened, but it may well be. It is really time to stop assuming Microsoft does anything right in the security space.
Re: (Score:3)
Interesting point, I would it formulate a bit differently,
when Microsoft issues a patch that is exploited just right after that,
then this patch did just cover up the vulnerability without either fixing the core problem, or introducing another vulnerability.
And here I would say Microsoft deserves the full blame,
because one thing that needs to be understood, is that there are many many talented people outthere doing reverse engineering, code analysis, as well as exploit creation, and just by the numbers China
Re:Alternative possibility (Score:5, Interesting)
Well, you are certainly more careful in how to phrase it. But I really thing the time to go easy on Microsoft is long past. They had a ton of 2nd, 3rd, 4th and more chances and they continue to fuck it up. This is not even a pattern anymore, this is a fundamental incapability we are seeing. Yes, there are others that do not do much better. But the cost to society is just getting far too high and this has to stop.
Re: (Score:2)
Especially when they are the golden child of the US government's information systems.
From what I am seeing, the early 2020s will be the high water mark of the "cloud" and things are just going to start reverting back to closed down networks. There is too much at risk for companies with sensitive designs, and too many companies like Microsoft attached to their secure clouds that can open up a leak path.
An absolutely real national security risk is the push to the cloud of common design and manufacturing softw
Re: (Score:1)
Chinese Engineers (Score:1)
Re: (Score:2)
That obviously cannot be it. No. No. Really not. And there for sure are no Chinese backdoors into MS infrastructure left and right and no Chinese spies that could leak stuff or tell the attackers how Microsoft does things. Not possible.
As long as we are all just speculating (Score:2)
Going after the ASP.NET keys is not an unknown technique. It may not be popular bug bounty fodder because in most cases the attack will be highly application specific but they are target on anyone doing targeted operations radar.
Once you have that you have a vector to send serialized payloads that are encrypted not by TLS but inside the protocol envelope. That means it will be opaque even to relatively high-end IDS/IPS/WAF solutions. Importantly you can use it while making requests to resources paths tha