[German]Since the SharePoint disaster in July 2025, in which vulnerabilities were exploited, there have been new revelations almost every day. It has been speculated that suspected Chinese hackers were able to access internal descriptions of zero-day vulnerabilities in Microsoft SharePoint Server in advance. Now it is said that Microsoft employed staff from China to maintain SharePoint. A brief update on the latest developments.
Looking back on the SharePoint disaster
I now called it the "SharePoint-Gate" because it turned out to be a disaster for Microsoft. By July 8, 2025, Microsoft had also closed the remote code execution vulnerabilities CVE-CVE-2025-49701 and CVE-2025-49704 in Microsoft SharePoint (Patchday: Microsoft Office Updates (8. Juli 2025)). The vulnerabilities, which were rated as critical and important, received a CVEv3 score of 8.8 (see Microsoft Security Update Summary (July 8, 2025)).
On July 17, 2025, the first attacks on SharePoint servers accessible via the Internet were noticed. However, there was no payload in the form of a WebShell that had been installed. Starting on July 18, 2025, various security providers such as Sophos, etc. observed increased waves of attacks on Microsoft SharePoint servers accessible via the Internet.
In addition to a (ToolShell) exploit that took advantage of the CVE-2025-49704 and CVE-2025-49706 vulnerabilities patched on July 8, 2025, there were other unpatched and unknown 0-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771). I reported on this promptly in the blog post Sharepoint servers are attacked via 0-day vulnerability (CVE-2025-53770).
Microsoft attempted to respond with mitigation measures and emergency updates (see Patches for Sharepoint Server 2016; China behind attacks, approx. 400 organizations compromised and Sharepoint Server 0-Day vulnerability: over 400 victims, Warlock ransomware infections). But by that point, hundreds of organizations had already been successfully compromised.
The latest information I am currently aware of can be found in this article from Bleeping Computer. Ransomware gangs are now joining the ranks of attackers targeting Microsoft SharePoint servers.
Vulnerabilities known since May 2025, amateurish patch
The vulnerabilities CVE-2025-49704 and CVE-2025-49706, which were patched on July 8, 2025, had been exploited in May 2025 at the Pwn2Own hacker conference in Berlin by a Vietnamese security researcher in an attack on a SharePoint server. Security researcher Dinh Ho Anh Khoa was awarded a $100,000 prize for the hack and honored by Microsoft.
It soon became known that Microsoft was investigating whether a security vulnerability in its early warning system for cybersecurity companies (MAPPS) had enabled Chinese hackers to exploit vulnerabilities in its SharePoint service before they were fixed. I addressed this in the article Microsoft investigates whether SharePoint 0-day was leaked to hackers in advance.
But this grand "conspiracy" was unnecessary. There are two facts that shed a special light on the whole matter in retrospect. First, it took Microsoft from May to July 2025 to provide security updates for the RCE vulnerabilities disclosed at the Pwn2Own hacker conference in Berlin.
I didn't mention it in my blog because I was on vacation for a few days (a blog reader pointed this out to me), but the patch could be bypassed by adding an extra character to a URL. On July 25, 2025, Kaspersky published a detailed analysis of the vulnerabilities in the article ToolShell: a story of five vulnerabilities in Microsoft SharePoint. The key point in the article is the statement "Our analysis of the exploit showed that it did rely on vulnerabilities fixed under CVE-2025-49704 and CVE-2025-49706, but by changing just one byte in the request, we were able to bypass those fixes."
Software experts from China maintain SharePoint
But in my opinion, the whole thing took an even more extreme turn. A few weeks ago, in my article Insane: Microsoft let Chinese software engineers maintain the cloud of US Department of Defense, I reported that Microsoft has employees in China maintaining the US Department of Defense's cloud. Shortly after this practice was made public, Microsoft announced that it would be ending it (see Microsoft says it's ending U.S. Defense Department cloud maintenance by Chinese software engineers).
I came across ProPublica's article Microsoft Used China-Based Engineers to Support Product Recently Hacked by China last Friday, August 1, 2025, but am only now getting around to addressing it. The message of the article: Microsoft announced that state-sponsored hackers from China had exploited vulnerabilities in SharePoint Server. However, what was not mentioned was the fact that the company has long employed engineers from China to maintain the product.
The article states that support for SharePoint is provided by a team of developers based in China. The team has been responsible for maintaining the software for years.
ProPublica claims to have seen screenshots from Microsoft's internal work tracking system that show that employees in China "recently" fixed bugs in the on-premises SharePoint servers. However, this is the version that was affected by the attacks in July 2025.
The website ProPublica writes that, according to a statement from Microsoft, the China-based team is "supervised by a US-based engineer and is subject to all security requirements and manager code review. However, work is already underway to relocate this work to another location."
This was precisely the statement made by Microsoft, which I discussed in the article Insane: Microsoft let Chinese software engineers maintain the cloud of US Department of Defense. ProPublica had also uncovered this fact at the time.
According to ProPublica, there is no evidence that the employees in China who were responsible for SharePoint maintenance were involved in the hacks. However, it does not take much imagination to picture that these employees may have been closely monitored in their activities—surveillance is ubiquitous in China.
In addition, Chinese laws grant the government and security apparatus far-reaching powers for data collection and surveillance. It is difficult for Chinese citizens or companies to meaningfully resist direct requests from security forces or law enforcement agencies.
Microsoft has lost control
Once again, repeat offender Microsoft is shining through, knowingly bringing risks to its customers – the main thing is that it's cheap and secure on paper. At the latest after the Storm 0558 hack (see Microsoft as a Security Risk? U.S. senator calls for Microsoft to be held accountable over Azure cloud hack– Part 1), alarm bells should have gone off at Microsoft and everything should have been put on the table. The Wired China named the elephant in the room in this article: "A porous firewall between Chinese security companies, hacker groups, and state security would have jeopardized a trusted cybersecurity partnership with Microsoft." And the US media outlet Fox News writes here that the flaw in Microsoft SharePoint jeopardizes important US government agencies.
After every hack, Microsoft promises to "become even better and even more secure" and has launched its Secure Future initiative. But that's just 'whitewash' or "bullshit bingo." As an observer, I can only state that Microsoft has lost control of its own products for years. One mistake can happen, even two or three – but at Microsoft, disaster follows disaster. Just off the top of my head, I would say "must be Stockholm syndrome" when people describe the products from Redmond as having "no alternative" and don't even try to break free from dependencies, but carry on full steam ahead. Or what have I failed to understand again, because that's the way it has to be?
Similar articles:
Microsoft Security Update Summary (July 8, 2025)
Patchday: Microsoft Office Updates (July 8, 2025)
Sharepoint servers are attacked via 0-day vulnerability (CVE-2025-53770)
Patches for Sharepoint Server 2016; China behind attacks, approx. 400 organizations compromised
Sharepoint Server 0-Day vulnerability: over 400 victims, Warlock ransomware infections
Microsoft investigates whether SharePoint 0-day was leaked to hackers in advance
Insane: Microsoft let Chinese software engineers maintain the cloud of US Department of Defense
Microsoft says it's ending U.S. Defense Department cloud maintenance by Chinese software engineers
China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud
Follow-up to the Storm-0558 cloud hack: Microsoft is still in the dark
After CISA report on Storm-0558 hack, Microsoft provides customers with enhanced cloud logging
Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services
Microsoft's Storm-0558 cloud hack: US senator among the victims
Microsoft's Storm-0558 cloud hack: MSA key comes from Windows crash dump of a PC
Microsoft extends Purview logging (after Storm-0558 hack)
Microsoft as a Security Risk? U.S. senator calls for Microsoft to be held accountable over Azure cloud hack– Part 1
Microsoft as a Security Risk? Azure vulnerability unpatched since March 2023, heavy criticism from Tenable – Part 2
Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023
Hewlett Packard Enterprise (HPE) hacked by Midnight Blizzard since May 2023
Microsoft confirms: Russian spies (Midnight Blizzard) stole source code while accessing systems
Microsoft slammed for a cascade of faults that leads to Storm-0558 cloud hack
Microsoft Ankündigung einer Secure Future Initiative
Microsoft legt Fortschrittsbericht zur "Secure Future Initiative" vor
