The summer of 2025 brought a seismic shift in the way Microsoft engages with the global cybersecurity community. At the heart of the story: a wave of massive attacks against on-premises SharePoint servers—attacks that unmasked the risks of global vulnerability sharing in an era of state-mandated reporting laws and mounting distrust between technology powers.
The Alarm Bell Rings
On July 7th, Microsoft’s cyber threat intelligence teams detected a series of targeted attacks exploiting two previously unknown SharePoint vulnerabilities, CVE-2025-53770 and CVE-2025-53771. Hundreds of organizations around the globe—from U.S. federal agencies to major corporates—were affected. For many, the realization came too late: attackers had already developed workarounds for Microsoft’s incomplete initial patches, pushing defenders into a frantic race.
But what set this incident apart wasn’t just the technical sophistication. It was the timing. Security researchers noted that attacks began shortly after Microsoft’s advance notifications had gone out via its Microsoft Active Protections Program (MAPP)—a trusted industry initiative designed to let security vendors build protections before the rest of the world even learned a bug existed.
A Decade of Quiet Tension
For years, MAPP had been considered an industry gold standard. Partners signed NDAs and were rewarded with advance technical details, including proof-of-concept (PoC) exploit code, up to two weeks ahead of public disclosure. More than a dozen Chinese companies participated, right alongside Western security vendors.
But there had always been an undercurrent of mistrust. In 2012, Microsoft blamed Hangzhou DPTech Technologies, a Chinese MAPP partner, for leaking a Windows exploit. In 2021, leaks from Chinese-linked firms were linked to a global Exchange server hacking campaign that left tens of thousands of enterprises exposed.
The pressure ramped up in 2021 when China began requiring all cybersecurity vulnerabilities to be reported to government authorities within 48 hours—a move that, in practice, gave state agencies first crack at exploit code originating from foreign vendors like Microsoft.
The SharePoint Breach: From Trust to Caution
The SharePoint exploit campaign was a breaking point. When evidence mounted that advanced warning and PoC details—intended for defensive use—had enabled offensive cyber operations, Microsoft began a swift internal investigation. Security observers and former White House officials described the move as “long overdue.” The stakes were too high, and the incentives for nation-state abuse too strong.
The Policy Shift
In August 2025, Microsoft announced a historic change: Chinese companies (and those in any country with similar mandatory vulnerability reporting laws) would no longer receive advance exploit code via the MAPP program. From then on, they would be limited to generic descriptions of vulnerabilities, delivered only with public patch releases—no more privileged head starts.
This new approach, Microsoft’s spokesperson David Cuddy confirmed, aims to “reduce the risk of abuse” while continuing to support partners focused on network defense and user security. The company stressed that failing to adapt its sharing policy would only lead to more leaks and weaponization of PoC code by state-backed actors.
Industry and Global Reactions
The security community has largely applauded the move, though some regret the necessity. “Anything Microsoft can do to help prevent leaks while still offering MAPP guidance is welcome,” said Dustin Childs, head of threat awareness at Trend Micro. Former partners in China, meanwhile, have criticized the decision as short-sighted or politically motivated, and the Chinese government has officially denied any role in offensive cyber operations, calling for “an end to smears and attacks under the excuse of cybersecurity”.
For defenders worldwide, this episode is a case study in the risks and rewards of collaborative vulnerability disclosure. As trust is tested by geopolitics and laws that force transparency to the edge of weaponization, even the industry’s best intentions must evolve.
