Microsoft investigates whether SharePoint 0-day was leaked to hackers in advance

Sicherheit (Pexels, allgemeine Nutzung) [German]Did suspected Chinese hackers gain access to internal descriptions of zero-day vulnerabilities in Microsoft SharePoint Server before they were exploited last weekend? Microsoft is investigating whether there was a leak in internal systems where such information is stored.

Attack on SharePoint via zero-day vulnerabilities

Since July 18, 2025, various security providers such as Sophos etc. have observed increased waves of attacks on Microsoft SharePoint servers that are accessible via the Internet. In addition to a (ToolShell) exploit that exploited the CVE -2025-49704 and CVE-2025-49706, there were other unpatched and unknown 0-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771).

These were attacked by an exploit on Friday and Saturday, respectively. The first attacks were noticed on July 17, 2025, but there was no payload in the form of a WebShell that was installed.

I tracked the development in the blog post Sharepoint servers are attacked via 0-day vulnerability (CVE-2025-53770) and in the post Sharepoint Server 0-Day vulnerability: over 400 victims, Warlock ransomware infections. Microsoft has now released special updates for various SharePoint Server versions to close the vulnerabilities (see Patches for Sharepoint Server 2016; China behind attacks, approx. 400 organizations compromised).

Microsoft is investigating whether there was a leak

Now, suspicions have arisen that Chinese hacker groups may have somehow obtained advance information about the zero-day vulnerabilities through a leak at Microsoft.

The vulnerabilities CVE-2025-49704 and CVE-2025-49706, which were patched on July 8, 2025, had been exploited in May 2025 at the Pwn2Own hacker conference in Berlin by a Vietnamese security researcher in an attack on a SharePoint server. Security researcher Dinh Ho Anh Khoa was awarded a $100,000 prize for the hack and honored by Microsoft.

No details about the vulnerabilities were disclosed at the time. And the zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) were not publicly known until they were exploited. However, Microsoft uses an internal program to inform its own developers and external security researchers about non-public vulnerabilities.

Bloomberg reported now, that Microsoft is investigating whether a security vulnerability in its early warning system for cybersecurity companies (MAPPS) enabled Chinese hackers to exploit vulnerabilities in its SharePoint service before they were fixed.

Dustin Childs, head of threat detection at cybersecurity company Trend Micro's Zero Day Initiative, says that the possibility of a vulnerability in Microsoft's Active Protections Program did cross their minds when the first attacks on SharePoint became known. Such a vulnerability would pose a serious threat to the MAPPS program.

Members of the MAPP program were informed about the security vulnerabilities in SharePoint on June 24, July 3, and July 7, 2025, Dustin Childs, head of threat detection at Trend Micro's Zero Day Initiative, told Reuters on Friday (Economic Times of India reports here). According to a blog post on Tuesday, Microsoft first observed attempts to exploit this vulnerability on July 7, 2025.

At present, this is merely speculation, but it appears likely that someone from the hacker community gained access to the information at an early stage. "As part of our standard process, we will investigate this incident, identify areas for improvement, and implement those improvements comprehensively," a Microsoft spokesperson said in a statement to Bloomberg. The partner program is an important component of the company's security measures.

Microsoft investigates whether SharePoint 0-day was leaked to hackers in advance

Attack on SharePoint via zero-day vulnerabilities

Microsoft is investigating whether there was a leak

Leave a Reply Cancel reply

Blogs

Links

Social networks

Awards

Sponsors