Introduction
With a keen eye on cybersecurity news that impacts our customers, and a background firmly rooted in military and intelligence operations, I have followed the recent exploitation of on-premises SharePoint vulnerabilities with a growing sense of alarm. The details emerging from Microsoft and security researchers paint a picture that demands immediate consideration, exposing critical vulnerabilities not just in software, but in the fundamental trust mechanisms of our digital infrastructure. In my opinion, this was an entirely predictable crisis with significant national security implications.
China-based engineering teams
The primary (and surprising) concern stems from the revelation that Microsoft has long relied on China-based engineering teams for the support and maintenance of SharePoint on-premises versions, the very software that was at the heart of recent widespread exploitation. Screenshots of Microsoft’s internal work-tracking system explicitly showed China-based employees responsible for fixing bugs in “SharePoint OnPrem”.
What makes this particularly astonishing is ProPublica’s investigation, which revealed that for a decade, Microsoft has leveraged foreign workers, including those based in China, to maintain critical Defense Department cloud systems. This arrangement, supposedly overseen by U.S.-based “digital escorts,” is highly questionable given that these escorts often lack the advanced technical expertise to adequately police their foreign counterparts.
Foreign coders must know about vulnerabilities to fix them, rendering the “digital escort” concept largely ineffective at preventing knowledge transfer. This practice also extended to other sensitive U.S. federal departments, including Justice, Treasury, and Commerce. The Office of the Director of National Intelligence deems China the ‘most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks.’ To consciously place the maintenance of such foundational software within that nation—especially given its legal framework compelling data collection—is, in my view, the height of recklessness.
Microsoft has since halted the use of China-based engineers for Defense Department cloud computing and is considering similar changes across other departments, this decision comes in the wake of significant incidents.
The vulnerability in detail
The timeline of the SharePoint vulnerability exploitation further compounds my concern. The initial zero-day bugs, CVE-2025-49706 (spoofing) and CVE-2025-49704 (remote code execution), later joined by CVE-2025-53770 (spoofing bypass and RCE) and CVE-2025-53771 (security bypass), affect on-premises SharePoint servers only and carry an extremely high severity rating, with CVE-2025-53770 rated at 9.8 out of 10. The vulnerability was first disclosed at the Pwn2Own Berlin competition in May, with the winning submission reported to Microsoft shortly thereafter.
MAPP and the Chinese contribution to the patch
Through its Microsoft Active Protections Program (MAPP), Microsoft provides trusted security vendors with early access to technical details about upcoming patches, sometimes up to two weeks before public release. Critically, because China-based coders were the direct maintainers of the SharePoint codebase, they would have been among those who directly received this early information about the vulnerability via Trend Micro’s Zero-Day Initiative following Pwn2Own.
Furthermore, it was Chinese coders who were responsible for preparing the initial patch. Despite the patch being scheduled for public release on July 8, 2025, exploitation of the vulnerabilities was observed as early as July 7, 2025. This strongly suggests that threat groups gained access to vulnerability details before protections were widely available. The initial patch released on July 8th was quickly bypassed by hackers, necessitating a subsequent “more robust protections” update from Microsoft. This sequence leads to an unsettling question posed by one of the sources:
Could the initially defective patch have been deliberately botched by its Chinese developers?
Chinese nation state exploitation of the vulnerabilities
Microsoft’s own security blog post, dated July 22, 2025, directly attributed the active exploitation of these on-premises SharePoint vulnerabilities to “two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon,” and a third “China-based threat actor, tracked as Storm-2603,” who exploited them to deploy ransomware. These actors were observed attempting exploitation as early as July 7, 2025. Linen Typhoon focuses on stealing intellectual property, while Violet Typhoon is dedicated to espionage; Storm-2603 is assessed with moderate confidence as China-based and has been observed stealing MachineKeys and deploying Warlock ransomware.
This direct attribution by Microsoft’s own Threat Intelligence team stands in stark contrast to the development and patching arrangements. Concerns about Chinese companies violating MAPP requirements are longstanding, with instances in 2012 and 2021 where Chinese MAPP partners were suspected of leaking vulnerability details.
Chinese legislation and weaponisation
A significant contributing factor is China’s Regulations on the Management of Network Product Security Vulnerabilities (RMSV), implemented in September 2021, which mandate that any organisation doing business in China must report newly discovered zero-day vulnerabilities to government authorities within 48 hours. Microsoft itself acknowledged that “this new regulation might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponising them”. Many Chinese companies participating in MAPP are also classified as “Technical Support Units” (TSUs) for the China National Vulnerability Database (CNNVD), overseen by the Ministry of State Security (MSS), creating a clear incentive structure to disclose vulnerabilities to their state, potentially overriding Microsoft’s non-disclosure agreements.
Conclusion
The SharePoint exploitation incident is a stark reminder of the intricate and often perilous intersection of cybersecurity, geopolitical realities, and global supply chains in software development. This is not only a predictable mess, but also a significant national security concern.
The continued reliance on outsourced development and maintenance for foundational software like SharePoint, particularly when the outsourcing is to entities within nations actively engaged in state-sponsored cyber campaigns against one’s own interests, represents an unacceptable level of risk. While Microsoft’s decision to cease supporting on-premises versions of SharePoint next July, urging customers to migrate to SharePoint Online, may address some issues, it does not fully resolve the underlying question of trust in the development and patching process for all Microsoft products if global outsourcing practices persist in sensitive areas.
It is imperative for Microsoft, and indeed all major software vendors, to critically reassess their global software development and support models to align with the security and integrity demanded by their customers and the realities of the global threat landscape.
Alex Martin, Cyber Services Director
Alex, with 18 years in Intelligence and Cyber Security, advanced from managing the XDR SOC to Director of Managed Services, and now to his current role of Cyber Services Director at Reliance Cyber. His expertise spans Incident Response, Compliance, and SOC/NOC operations.
Sources:
https://www.propublica.org/article/microsoft-sharepoint-hack-china-cybersecurity