Microsoft halts PoC exploit sharing with Chinese firms after SharePoint zero-day leaks, giving only written bug details to curb future abuse.
Microsoft has reportedly stopped giving Chinese firms proof-of-concept exploit code through its Microsoft Active Protections Program (MAPP) program after July’s mass exploitation of SharePoint flaws, believed linked to a leak of early bug disclosures. Instead, firms in countries requiring vulnerability reporting to governments, including China, will now only receive general written descriptions. The move aims to curb leaks while keeping MAPP useful for defenders.
The Microsoft Active Protections Program (MAPP) shares early details of upcoming security flaws with trusted vendors, usually two weeks before Patch Tuesday. This allows them to update defenses in advance. Partners sign NDAs, and the goal is to give users protection against exploits before patches are widely deployed.
“We’re aware of the potential for this to be abused, which is why we take steps – both known and confidential – to prevent misuse,” said Microsoft spokesperson David Cuddy. “We continuously review participants and suspend or remove them if we find they violated their contract with us, which includes a prohibition on participating in offensive attacks.”
In late July, China-based groups, including state actors and at least a ransomware gang, exploited two vulnerabilities to hijack over 400 on-premises SharePoint servers, enabling remote code execution. Microsoft disclosed the bugs on July 8 but later admitted its patches were incomplete. Final fixes came on July 21, but mass exploitation had already begun, raising concerns of MAPP leaks to China.
Microsoft confirmed that China-linked groups Linen Typhoon, Violet Typhoon, and Storm-2603 exploited SharePoint flaws for initial access as early as July 7, 2025.
“As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers.” reads a report published by Microsoft. “In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities.”
The tech giant warned that more threat actors were adopting SharePoint exploits and expects continued attacks on unpatched on-premise systems.
Microsoft observed threat actors scanning and attacking on-prem SharePoint servers by sending POST requests to the ToolPane endpoint. If successful, the attackers bypassed authentication and used a malicious script (like spinstall0.aspx) to steal sensitive cryptographic keys (MachineKey data). In some cases, the attackers renamed the script slightly to avoid detection. Microsoft shared indicators of compromise (IOCs) and hunting tools to detect these attacks.
Below is a short description of China-nexus groups that exploited the ToolShell flaws:
- Linen Typhoon (aka APT27, Bronze Union, Emissary Panda, TG-3390, Bronze Union, Lucky Mouse, and UNC215) targets IP in government and defense sectors; Linen Typhoon is a China-based actor that has been active since at least 2012 and targets foreign embassies to collect data on government, defence, and technology sectors.
- Violet Typhoon (aka APT31, BRONZE VINEWOOD, JUDGMENT PANDA, Red keres, TA412, ZIRCONIUM) focuses on espionage against NGOs, media, and academia. Violet Typhoon is a China-linked actor that has been active since at least 2015.
- Storm-2603, though distinct, attempts to steal MachineKeys from SharePoint servers and has ties to ransomware. These actors exploit exposed systems to install web shells. With more attackers likely to adopt these methods, Microsoft urges immediate patching and mitigation to protect unpatched on-premises SharePoint environments.
“A leak happened here somewhere,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative (ZDI), told The Register in July. “And now you’ve got a zero-day exploit in the wild, and worse than that, you’ve got a zero-day exploit in the wild that bypasses the patch, which came out the next day.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Microsoft)
