After SharePoint Attacks, Microsoft Stops Sharing PoC Exploit Code with China
In a move aimed at curbing future abuse of vulnerability disclosures, Microsoft has halted its practice of sharing proof-of-concept (PoC) exploit code with Chinese firms. The decision comes on the heels of the mass exploitation of SharePoint flaws in July, which was linked to early bug disclosures.
The MAPP Program: A Tool for Defense and Disclosure
The Microsoft Active Protections Program (MAPP) is a partnership between Microsoft and trusted vendors that shares early details of upcoming security flaws. This allows them to update their defenses in advance, providing users with protection against exploits before patches are widely deployed. Partners sign non-disclosure agreements (NDAs), which includes a prohibition on participating in offensive attacks.
A Vulnerability Leaked and Exploited
In late July, China-based groups, including state actors and at least one ransomware gang, exploited two vulnerabilities to hijack over 400 on-premises SharePoint servers. This enabled remote code execution, raising concerns about the potential misuse of vulnerability disclosures. Microsoft initially disclosed the bugs on July 8 but later admitted that its patches were incomplete.
MAPP Leaks: A Concern
Microsoft confirmed that China-linked groups Linen Typhoon, Violet Typhoon, and Storm-2603 exploited SharePoint flaws for initial access as early as July 7, 2025. The company warned that these groups had bypassed authentication and used a malicious script to steal sensitive cryptographic keys from on-premise systems.
Consequences of the Leak
The leak was attributed to "A leak happened here somewhere," said Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative (ZDI). "And now you've got a zero-day exploit in the wild, and worse than that, you've got a zero-day exploit in the wild that bypasses the patch, which came out the next day."
A New Approach to Disclosure
As a result of the leak, Microsoft has halted its practice of sharing PoC exploit code with Chinese firms through its MAPP program. Instead, firms in countries requiring vulnerability reporting to governments will now only receive general written descriptions of the vulnerabilities.
"We're aware of the potential for this to be abused," said Microsoft spokesperson David Cuddy. "We take steps – both known and confidential – to prevent misuse." The company continuously reviews participants and suspends or removes them if they find that they have violated their contract with Microsoft, which includes a prohibition on participating in offensive attacks.
The Future of MAPP
Microsoft's decision aims to balance the need for defenders to stay ahead of emerging threats while preventing the misuse of vulnerability disclosures. The company will continue to provide general written descriptions of vulnerabilities to Chinese firms and other countries that require vulnerability reporting, without sharing PoC exploit code.
"The goal is to give users protection against exploits before patches are widely deployed," Cuddy explained. "We'll keep working to find ways to make MAPP useful for defenders while keeping it secure from misuse."