Did a Vendor's Leak Help Attackers Exploit Microsoft's SharePoint Servers?

The vulnerability-watching 'Zero Day Initiative' was started in 2005 as a division of 3Com, then acquired in 2015 by cybersecurity company Trend Micro, according to Wikipedia.

But the Register reports today that the initiative's head of threat awareness is now concerned about the source for that exploit of Microsoft's Sharepoint servers:
How did the attackers, who include Chinese government spies, data thieves, and ransomware operators, know how to exploit the SharePoint CVEs in such a way that would bypass the security fixes Microsoft released the following day? 'A leak happened here somewhere,' Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative, told The Register. 'And now you've got a zero-day exploit in the wild, and worse than that, you've got a zero-day exploit in the wild that bypasses the patch, which came out the next day....'

Patch Tuesday happens the second Tuesday of every month — in July, that was the 8th. But two weeks before then, Microsoft provides early access to some security vendors via the Microsoft Active Protections Program (MAPP). These vendors are required to sign a non-disclosure agreement about the soon-to-be-disclosed bugs, and Microsoft gives them early access to the vulnerability information so that they can provide updated protections to customers faster....

One researcher suggests a leak may not have been the only pathway to exploit. 'Soroush Dalili was able to use Google's Gemini to help reproduce the exploit chain, so it's possible the threat actors did their own due diligence, or did something similar to Dalili, working with one of the frontier large language models like Google Gemini, o3 from OpenAI, or Claude Opus, or some other LLM, to help identify routes of exploitation,' Tenable Research Special Operations team senior engineer Satnam Narang told The Register. 'It's difficult to say what domino had to fall in order for these threat actors to be able to leverage these flaws in the wild,' Narang added.

Nonetheless, Microsoft did not release any MAPP guidance for the two most recent vulnerabilities, CVE-2025-53770 and CVE-2025-53771, which are related to the previously disclosed CVE-2025-49704 and CVE-2025-49706. 'It could mean that they no longer consider MAPP to be a trusted resource, so they're not providing any information whatsoever,' Childs speculated. [He adds later that 'If I thought a leak came from this channel, I would not be telling that channel anything.']

'It also could mean that they're scrambling so much to work on the fixes they don't have time to notify their partners of these other details.

Read more of this story at Slashdot.