Microsoft has launched an internal investigation to determine whether a leak of confidential information from the Microsoft Active Protections Program (MAPP) allowed state-sponsored Chinese hackers to exploit serious SharePoint vulnerabilities before the official release of security patches.
The investigation comes as a campaign of cyberattacks has compromised more than 400 organizations globally, including the National Nuclear Security Administration (NNSA), which is responsible for the United States’ nuclear stockpile.
The SharePoint vulnerabilities (CVE-2025-53770 and CVE-2025-53771) were first disclosed in May by Vietnamese researcher Dinh Ho Anh Khoa at the Pwn2Own cybersecurity conference in Berlin, where he received a $100,000 prize.
Subsequently, Microsoft notified MAPP partners of the critical vulnerabilities on June 24, July 3, and July 7. On July 7, the date of the last notification, the first active exploits against SharePoint servers were detected, suggesting a possible leak from the MAPP program.
According to Dustin Childs of Trend Micro’s Zero Day Initiative, it’s likely that someone among the partners used confidential information to quickly develop the exploits.
The sophisticated attack chain, dubbed “ToolShell”, allows hackers to bypass authentication controls and execute malicious code on SharePoint servers. Particularly critical is the ability to steal encryption keys, which allows attackers to maintain access even after patches are applied.
Microsoft attributes the attacks to three APT groups linked to China: Linen Typhoon, Violet Typhoon, and Storm-2603. Among the most susceptible victims is the NNSA, which said it suffered limited damage thanks to its use of Microsoft cloud services.
Cybersecurity firm Eye Security, which first identified the attacks, confirmed four waves of attacks and more than 400 compromised systems, affecting government agencies, private companies, and educational institutions in North America, Europe, and Asia.
This is not the first time the MAPP program has been targeted. spotlight: In 2012, Microsoft banned China’s Hangzhou DPtech Technologies Co. for unauthorized disclosure of a proof-of-concept. More recently, Qihoo 360 Technology Co. was also removed after being placed on the US Entity List.
The 17-year-old MAPP program provides approximately 100 global partners with technical details about vulnerabilities up to five days’ notice before public disclosure, to allow for preemptive protection.
According to Bloomberg, a dozen Chinese companies are currently participating in the program.
Microsoft confirmed that it will conduct an internal review to strengthen security measures, emphasizing that information sharing with MAPP partners remains critical to protecting users from new cyber threats.
Meanwhile, China has denied any responsibility, calling the accusations baseless and reiterating its opposition to hacking activities.
Experts warn that these vulnerabilities are turning into real Exploit in just two months demonstrates the evolution of cyber threats, increasingly faster and more sophisticated.
This case also highlights the delicate balance between transparency in cybersecurity and the risks posed by a potential leak of sensitive data.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
