MAPP: Inside Microsoft's Vulnerability Early Warning Program — and Its Breaking Point

For roughly two weeks every month, a select group of security vendors around the world know something the rest of the internet does not: exactly which vulnerabilities Microsoft is about to patch, and in some cases, exactly how an attacker could exploit them. That is the premise of MAPP — the Microsoft Active Protections Program. It was designed to give defenders a head start. In 2025, it gave attackers one instead.

Patch Tuesday is one of the most anticipated dates on the security calendar. On the second Tuesday of every month, Microsoft releases security updates addressing vulnerabilities across its product ecosystem — Windows, Office, SharePoint, Exchange, Azure, and dozens of other platforms. For IT and security teams worldwide, it triggers a race: how quickly can patches be tested and deployed before attackers weaponize the published CVEs?

MAPP was built to give defenders a fighting chance in that race. By sharing vulnerability details with trusted security vendors before the public patch drops, Microsoft allows those vendors to pre-build detection signatures, update endpoint protections, and push firewall rules to customers before most organizations even know a patch exists. The idea is sound. The execution, as 2025 demonstrated, carries serious risks.

What MAPP Is and Why It Exists

The Microsoft Active Protections Program is led by the Microsoft Security Response Center (MSRC) — the team responsible for investigating, coordinating, and releasing Microsoft's security updates. MAPP sits at the intersection of two goals that can sometimes conflict: responsible disclosure, which holds that vulnerability details should not be made public until a patch is available, and practical defense, which requires that security tools have enough lead time to protect customers before attackers strike.

Without a program like MAPP, security vendors would receive patch information at the same moment as everyone else — including threat actors. The window between public patch release and widespread deployment across enterprise environments can be days or weeks. During that window, attackers who reverse-engineer the patch to understand the underlying vulnerability can strike unpatched systems at scale. MAPP attempts to close that window by giving defensive security providers advance notice.

Microsoft's own language describes MAPP as enabling partners to "proactively develop protections against vulnerabilities" before public patches drop, giving defensive vendors the lead time to push updated endpoint signatures, IPS rules, and managed service detections to customers while most of the internet is still unaware a patch is coming.

The program is not about sharing raw vulnerability research for its own sake. Participating vendors are expected to use what they receive to actively build and ship protections to their customers. The operative word is "active." MAPP members are not passive recipients of intelligence briefings — they are expected to deploy defenses before the patch becomes public.

How the Program Works: Tiers, Timelines, and Access

MAPP is structured around four distinct tiers, each offering different levels of access and carrying different obligations. Understanding the tier structure is essential to understanding both the program's value and its risk surface.

MAPP Entry

This is the entry point for partners that operate under mandatory government disclosure requirements — meaning they are legally obligated in their home jurisdiction to report discovered vulnerabilities to a government authority. Partners at this tier receive general vulnerability information six hours before Microsoft's Update Tuesday release. Critically, they do not receive proof-of-concept (PoC) code. Microsoft's FAQ describes this approach as balancing compliance with local regulations against the principles of responsible disclosure.

MAPP Entry+

The foundational tier for new partners that do not have mandatory disclosure obligations. Partners in this tier receive vulnerability guidance 24 hours before Microsoft's Update Tuesday release — giving them enough lead time to begin building protections before public patches drop, without the extended window granted to more established members. It is the on-ramp to the more privileged tiers, and the starting point for vendors who want to take an increasingly active role in customer protection.

MAPP ANS (Advance Notification Service)

This is the high-value tier. Partners who have demonstrated consistent participation, effective customer protections, and active threat intelligence sharing with Microsoft gain access to vulnerability guidance five days before Update Tuesday. This tier requires that partners have no mandatory disclosure obligations, which means sensitive information can remain protected until the public release. Five days is enough lead time to research, test, write, validate, and ship detection signatures to production environments.

MAPP Validate

An invite-only tier for the most trusted partners. Members of MAPP Validate go beyond just consuming early guidance — they actively test Microsoft's protective guidance and provide feedback to improve its quality and effectiveness before it reaches the broader partner community. Participation is selective, and partners at this tier are expected to contribute meaningfully to threat intelligence sharing.

MAPP for Responders

A separate track for incident responders, CERTs, and security organizations that do not qualify for standard MAPP membership. This tier does not provide early access to vulnerability guidance. Instead, it gives members access to the Clean File Metadata Feed (CMFD) — hashes of legitimate Microsoft binaries that help reduce false positives — and the Bing Malicious URL feed for enhanced threat detection.

Partners are required to submit two reports to Microsoft per patch cycle: an initial report detailing which CVEs received protections, and a follow-up report 30 days after Patch Tuesday that includes telemetry on those protections. This reporting structure keeps Microsoft informed about whether MAPP is actually generating defensive value in the field, and it gives the program mechanisms to identify underperforming or non-compliant members.

Who Gets In and What They Must Agree To

MAPP is not open to everyone. Membership criteria are deliberately restrictive and designed to ensure that participants can actually use early vulnerability information responsibly. To be considered, an organization must meet several requirements simultaneously.

Applicants must sign a Non-Disclosure Agreement with Microsoft and strictly follow Coordinated Vulnerability Disclosure practices. They must provide commercial security products or services that actively protect Microsoft customers, and they cannot be in the business of building tools that attack or weaken network security — penetration testing frameworks and exploit kits disqualify a vendor outright. Partners must demonstrate the ability to protect Microsoft's pre-release data, disclose any third-party reporting obligations, and have the technical infrastructure to send and receive data via API.

Crucially, partners must actively create their own protections from MAPP guidance. Relying on third-party signatures — essentially reselling someone else's work — does not satisfy the program's requirements. The expectation is that each MAPP partner adds genuine, original defensive value to the ecosystem.

Well-known members of MAPP include major names in the security industry. Cisco Talos is a member and explicitly notes on its advisory archive that MAPP access "is used to quickly provide protections in Snort and other Cisco Secure products." Trend Micro is another member; the company's Zero Day Initiative team, which runs the Pwn2Own competition, has direct visibility into how MAPP intelligence translates into defensive coverage. Stellar Cyber joined in July 2025, stating that MAPP provides "early access to critical vulnerability and threat intelligence" ahead of public disclosure. More than 100 partners globally participate in some form of the program.

A History of Leaks: 2012, 2021, and the 2025 SharePoint Crisis

The program's most serious structural weakness is that the same advance access that enables defenders to build early protections also enables bad actors — or compromised insiders — to build early exploits. MAPP's history includes three major incidents where that risk materialized, each more consequential than the last.

2012: The First Confirmed Breach

In May 2012, Microsoft expelled Hangzhou DPtech Technologies Co., a Chinese network security company, from MAPP for violating its NDA. The company had leaked proof-of-concept code related to CVE-2012-0002, a critical Remote Desktop Protocol vulnerability in Windows. This was the first publicly confirmed case of a MAPP member weaponizing pre-release vulnerability data. Microsoft acknowledged the incident, expelled the company, and defended the overall program's value — but the breach established a precedent that would repeat.

2021: The Exchange Server Campaign

In early 2021, a global hacking campaign targeted Microsoft Exchange servers on a scale that became one of the worst security incidents in the company's history. Microsoft attributed the initial intrusions to a Chinese espionage group tracked as Hafnium. Tens of thousands of organizations were compromised. The timing raised serious questions about MAPP: attack activity using CVE-2021-26855 was detected before Microsoft had even received the formal vulnerability report from the researcher who discovered it, complicating the theory that MAPP was the sole leak source. Separately, Microsoft suspected at least two Chinese MAPP partners of leaking Exchange vulnerability details, though a definitive attribution was never published. Investigations ultimately suggested the vulnerability may have been independently discovered and exploited before the formal disclosure timeline began, but the incident intensified scrutiny of Chinese participants in the program.

2025: SharePoint, ToolShell, and the Nuclear Agency

The 2025 incident is the sharpest test MAPP has faced to date. In May 2025, Vietnamese researcher Dinh Ho Anh Khoa demonstrated two SharePoint vulnerabilities at the Pwn2Own conference in Berlin, earning $100,000. Those vulnerabilities — formally tracked as CVE-2025-49704 (an improper code-generation flaw enabling remote code execution) and CVE-2025-49706 (an improper authentication flaw enabling network spoofing) — would become the foundation of the ToolShell attack chain. Microsoft began notifying MAPP partners of the vulnerabilities on June 24, with follow-up notifications on July 3 and July 7. Initial patches for CVE-2025-49704 and CVE-2025-49706 were issued on July 8 — Patch Tuesday.

Microsoft first detected active exploitation on July 7, 2025 — the same day as the final MAPP notification wave and the day before the public patch. The exploitation did not look like opportunistic scanning. It was coordinated, targeted, and technically sophisticated. Attackers deployed a multi-stage attack chain that researchers at cybersecurity firms named "ToolShell" — a reference to ToolPane.aspx, the specific SharePoint component where the deserialization flaw resides, as identified by researcher Khoa Dinh who originally discovered the vulnerability chain. The chain bypassed SharePoint authentication controls, executed remote code on servers, and — critically — enabled the theft of cryptographic machine keys. Stolen machine keys can be used to forge authentication tokens, allowing attackers to maintain persistent access even after systems receive patches. Resecurity independently observed exploitation activity as early as July 17, before Microsoft's official advisory was published, with attackers using PowerShell-based payload delivery and ASP-based web shells designed for Windows environments.

The situation escalated further on July 19, 2025, when Microsoft disclosed two additional CVEs: CVE-2025-53770 (CVSS 9.8, a critical unauthenticated RCE vulnerability) and CVE-2025-53771 (a path traversal spoofing vulnerability). These were patch bypasses of the original two CVEs, meaning the July 8 patches were incomplete. Security researchers, including analysts at Kaspersky's Global Research and Analysis Team, noted that CVE-2025-53770 appears to trace back to flaws that were insufficiently addressed in CVE-2020-1147, a .NET deserialization vulnerability from 2020 — meaning the underlying weakness had persisted in some form for five years. CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog on July 20, and Microsoft issued emergency patches for SharePoint Subscription Edition and 2019 on July 20–21. The full four-CVE chain is what security researchers collectively refer to as ToolShell. According to Akamai, which is itself a MAPP member, more than 20 percent of observed environments were exposed to CVE-2025-53770 at the time of disclosure.

Dustin Childs, Head of Threat Awareness at Trend Micro's Zero Day Initiative, told The Register that "A leak happened here somewhere." He noted that exploitation began the same day as the final MAPP notification wave and that the initial patches were bypassed almost immediately.

Childs also revealed a telling detail: Microsoft did not release any MAPP guidance for the two follow-up CVEs, CVE-2025-53770 and CVE-2025-53771. He speculated that Microsoft either no longer considered MAPP a trusted channel or was moving too fast on emergency patches to brief partners. Anyone with access to the early MAPP information about the original flaws, Childs noted, would have been able to recognize an obvious path past the initial fix.

By the time Microsoft completed its investigation, it had attributed the campaign to three Chinese threat actors: Linen Typhoon (also tracked as APT27, Budworm, Emissary Panda, and Lucky Mouse; active since at least 2012 with a focus on government and defense targets), Violet Typhoon (APT31, also tracked as ZIRCONIUM and Judgment Panda; active since at least 2015 with a focus on espionage against NGOs, media, and academia), and Storm-2603, a distinct actor that escalated to ransomware deployment — specifically Warlock ransomware, as confirmed by CISA and Microsoft — and specifically targeted SharePoint machine keys for persistence. Over 400 organizations worldwide were compromised, spanning finance, education, energy, and healthcare across Asia, Europe, and the United States. Among the victims was the U.S. National Nuclear Security Administration, the agency responsible for the design and maintenance of the American nuclear weapons stockpile. Officials stated that no classified information was taken.

Lotem Finkelstein, Director of Threat Intelligence at Check Point Research, described the situation as "an urgent and active threat" being weaponized at scale, as reported by Windows Central.

The ToolShell campaign introduced a detail that is easily overlooked in the broader MAPP discussion but carries serious operational implications for affected organizations. CISA's guidance on the incident specifies that remediation requires rotating ASP.NET machine keys before applying Microsoft's patches, then rotating them again after patching, followed by an IIS server restart using iisreset.exe. Patching without key rotation leaves the attacker's forged authentication tokens potentially valid. This two-rotation requirement is unusual and was not widely communicated outside of incident response advisories.

A separate investigative thread, reported by ProPublica, added a further dimension to the incident: a China-based Microsoft engineering team had been directly responsible for maintaining SharePoint "OnPrem" — the specific version of the software targeted in the attacks. The disclosure prompted scrutiny of Microsoft's practice of using "digital escorts" to allow foreign engineers to service sensitive U.S. government systems. Microsoft has not confirmed the ProPublica reporting in full, and the company maintains that access controls prevent exposure of sensitive government code. The MAPP investigation and the engineering access question are technically separate issues, but together they raised broader questions about the attack surface created by deep operational integration between Microsoft and jurisdictions that have mandatory vulnerability disclosure laws.

The Legal Conflict: Chinese Law vs. NDA Obligations

The 2025 crisis drew renewed attention to a structural tension that security researchers had been flagging for years: Chinese companies operating under MAPP's NDA may also be legally required by their own government to share exactly the kind of information that NDA is meant to protect.

China's 2021 Cybersecurity Vulnerability Reporting Regulations mandate that any company or researcher operating in China must report a discovered vulnerability to the Ministry of Industry and Information Technology (MIIT) within 48 hours. The regulation applies broadly and is not limited to vulnerabilities in Chinese software. A Chinese MAPP member that receives advance notice of a Microsoft vulnerability could be read as obligated under Chinese law to report that vulnerability to MIIT within two business days — long before the public patch drops.

Compounding this, China's 2017 National Intelligence Law requires all Chinese companies to "support, assist, and cooperate with national intelligence efforts" when requested. Together, these laws create dual obligations that are structurally incompatible with MAPP's NDA framework. A Chinese MAPP partner that receives advance notice of a vulnerability is simultaneously bound by Microsoft's NDA to keep that information confidential and by Chinese law to report it to government authorities within 48 hours.

Dakota Cary, a China-focused consultant at SentinelOne, told Bloomberg that Chinese MAPP participants clearly "have to respond to incentives from the government," making access restrictions a logical step, as reported by Bloomberg via Claims Journal.

Eugenio Benincasa, a Senior Researcher in the Cyberdefense Project at ETH Zurich's Center for Security Studies who specializes in analyzing Chinese cyber operations, told Bloomberg that there had been suspicions about leaks from MAPP for years, but that the current level of scrutiny on Chinese cyber activity meant Microsoft likely felt pressure to act. Benincasa's research has documented how Chinese cybersecurity firms contribute to the China National Vulnerability Database (CNNVD), which is administered by the Ministry of State Security's 13th Bureau — the same entity responsible for offensive cyber operations. Firms designated as "Technical Support Units" (TSUs) for CNNVD are required to provide vulnerability early warning support to the MSS, creating additional channels through which MAPP data could flow to intelligence operators.

A further concern emerged from a report by the Tech Integrity Project, a U.S. advocacy group, which found that Chinese organizations linked to cyber espionage had been operating from the same sprawling campus in Wuhan as MAPP participants in June 2025. The organizations were operating within China's National Cybersecurity Center — formally known as the National Cybersecurity Talent and Innovation Base — a facility that houses a division of the Ministry of State Security, according to the Tech Integrity Project's findings as reported by Bloomberg. Microsoft spokesperson David Cuddy denied any cooperation with the cybersecurity center in Wuhan, stating that Microsoft had never engaged with the facility.

At least a dozen Chinese companies were participating in MAPP at the time of the 2025 attacks, including major domestic security firms. Between 2018 and 2025, however, several Chinese companies had quietly disappeared from the MAPP membership list, including Huawei, Neusoft, and Qihoo 360 — though the reasons were not always publicly disclosed. Qihoo 360, once among China's largest cybersecurity companies, had already been removed from MAPP after being placed on the U.S. Department of Commerce Entity List, which restricts access to American technology. Its removal was a precedent, but it did not prompt broader program reforms at the time. The Shadowserver Foundation, using scan data, identified 424 SharePoint servers still vulnerable to CVE-2025-53770 and CVE-2025-53771 as of July 23, with exposed systems concentrated in the United States, Iran, Germany, India, and China.

What Microsoft Changed and What It Means Going Forward

On August 20, 2025, Microsoft announced a formal change to MAPP's access structure. Partners located in countries where they are required by law to report vulnerabilities to their governments would no longer receive proof-of-concept exploit code in advance. Instead, they would receive a general written description of the vulnerability at the same time that public patches are released — functionally equivalent to the MAPP Entry tier, which had always been the designated category for partners with mandatory disclosure obligations.

The change, reported by Bloomberg, was confirmed by Microsoft spokesperson David Cuddy, who stated that the company had modified notifications for MAPP participants in jurisdictions with mandatory government vulnerability reporting requirements, with China being the primary country in scope. Microsoft also confirmed for the first time that it had shut down facilities in China where government officials could previously review Microsoft source code for backdoors. Those centers had been inactive since 2019.

The decision was widely interpreted as a significant, if overdue, acknowledgment that the program's existing safeguards were inadequate for the geopolitical reality of operating a global vulnerability-sharing program. The change does not affect MAPP membership itself — Chinese partners remain formally enrolled — but it removes the two elements that made their participation dangerous: early timing and technical specificity. Security analysts noted that the change effectively draws a clear line between MAPP membership and the ability to receive pre-patch technical detail, a line that had previously been blurry for partners in jurisdictions with mandatory disclosure laws. Katie Moussouris, a former Microsoft senior security strategist who created Microsoft's bug bounty program and ran the MSRC Security Community and Strategy team during MAPP's formative years, suggested in public commentary that a reasonable mitigation for leaks would be reverting the entire program to its original 24-hour advance notice window, raising questions about whether the current multi-tier structure creates more risk than it resolves.

The change does not eliminate risk. MAPP partners in other jurisdictions could theoretically be compromised by nation-state actors, and the ToolShell attack chain itself demonstrated that a well-resourced adversary can weaponize vulnerability data with extraordinary speed. But it does address the specific structural conflict at the heart of the 2025 incident: the incompatibility between an NDA obligation to protect pre-patch data and a legal obligation to share that same data with a government authority within 48 hours.

Microsoft's updated MAPP framework now formally codifies what the Entry tier had always described as the baseline for partners with mandatory disclosure requirements. The program's tier structure — Entry, Entry+, ANS, and Validate — now functions not just as a maturity ladder but as a trust and jurisdiction filter. Access to the most sensitive pre-patch technical information, including PoC code, is reserved for partners who can demonstrate both the operational capability and the legal freedom to protect it.

Broader Implications: Other Vendors, Other Countries, and Practical Guidance

Is MAPP Unique to Microsoft?

MAPP is the largest and most structured program of its kind, but it is not the only one. Other major technology vendors have their own mechanisms for sharing vulnerability data with security partners before public disclosure. Apple coordinates with security vendors through its Security Bounty program and shares pre-release details with select partners under NDA during critical patch cycles. Google's Project Zero operates under a strict 90-day disclosure deadline that applies to all vendors, including Google itself, and shares vulnerability findings through coordinated disclosure channels. Cisco maintains its own advance notification relationships through Cisco Talos. However, none of these programs match MAPP in scale, formalization, or tier structure. MAPP's distinguishing feature is its systematic, recurring, monthly cadence of pre-patch intelligence delivery to more than 100 global partners. That scale is both its strength and its risk surface.

Which Countries Beyond China Are Affected?

Microsoft's post-2025 restriction applies to partners in any country with mandatory government vulnerability disclosure requirements, not only China. In practice, China is the primary country affected because it has the largest concentration of MAPP members subject to such laws. However, Russia's 2017 amendments to its federal law on information security require vulnerability reporting to FSTEC (the Federal Service for Technical and Export Control), and several other jurisdictions have enacted or proposed similar requirements. The key determination is not the country's name but whether its domestic law compels MAPP partners to share pre-release vulnerability data with government authorities. Any partner operating under such an obligation is now limited to the MAPP Entry tier: general written descriptions delivered at the time public patches are released, with no proof-of-concept code and no advance timing.

What Happens to Defensive Coverage in Affected Regions?

One consequence of the August 2025 change that received less attention is the downstream effect on enterprises in China and other affected jurisdictions. Chinese security vendors that relied on MAPP's advance intelligence to build and ship detection signatures to their domestic customers now receive vulnerability data at the same time as the general public. For Chinese enterprises running Microsoft products, this creates a defensive gap: their local security vendors can no longer pre-position protections ahead of a patch release. Those organizations are now dependent on global MAPP members' protections reaching them through third-party integrations, or on patching quickly enough to outrun attackers who reverse-engineer the public patch. Microsoft has not publicly addressed how it plans to mitigate this defensive asymmetry for legitimate customers in affected regions.

Has Microsoft Confirmed Who Leaked MAPP Data?

As of this writing, Microsoft has not publicly attributed the 2025 MAPP leak to a specific company or individual. The company has confirmed that three Chinese threat actor groups — Linen Typhoon, Violet Typhoon, and Storm-2603 — exploited the SharePoint vulnerabilities, and it has acknowledged that the timing of exploitation aligned with MAPP notification waves. Microsoft has stated that it takes both overt and undisclosed measures to prevent misuse of MAPP data and that partners who violate their contracts face suspension or removal. However, no public expulsion has been announced in connection with the 2025 incident, unlike the 2012 case where Hangzhou DPtech was publicly identified and removed. This suggests either that the investigation is ongoing, that the leak was attributed to a structural vector (such as mandatory government reporting) rather than an individual act of corporate espionage, or that Microsoft has taken undisclosed action.

Could the Vulnerabilities Have Been Discovered Independently?

This question came up in the 2021 Exchange incident and resurfaces with ToolShell. In theory, a sophisticated threat actor with knowledge of the Pwn2Own demonstration in May 2025 and sufficient reverse-engineering capability could have independently located the same SharePoint vulnerabilities without MAPP data. Pwn2Own results are publicized, and the targeted component (SharePoint ToolPane.aspx) was known. However, several factors weigh against a purely independent discovery: the exploitation began on the same day as the final MAPP notification, the attackers demonstrated immediate knowledge of how to bypass the initial patches, and the MAPP notifications included technical detail and proof-of-concept code that would have dramatically accelerated exploit development. Dustin Childs of ZDI stated that while the patches could have been reverse-engineered, the coincidence of timing made a leak the more plausible explanation.

What Should Organizations Running On-Premises SharePoint Do Now?

For organizations that operate on-premises SharePoint Server 2016, 2019, or Subscription Edition, the ToolShell campaign carries specific remediation requirements that go well beyond standard patching. CISA's guidance specifies rotating ASP.NET machine keys before applying Microsoft's July 2025 patches, then rotating them again after patching, followed by an IIS server restart. Machine keys can be rotated using the Set-SPMachineKey PowerShell cmdlet or by triggering the Machine Key Rotation Job in SharePoint Central Administration. Organizations should verify that all four CVEs — CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771 — have been patched. Organizations that migrated to SharePoint Online are not directly affected, as Microsoft manages patching for its cloud-hosted infrastructure. However, hybrid environments that retain on-premises SharePoint components for specific workloads remain in scope.

A critical step that many initial remediation guides missed: before restarting IIS, administrators must manually inspect applicationHost.config and web.config for malicious module entries planted by the attacker. CISA's July 31, 2025 update to its SharePoint alert explicitly warned that if IIS is restarted without first removing these entries, attacker-loaded modules persist and reload when IIS comes back online. Skipping this step means the server restarts in a compromised state, and the entire rotate-patch-rotate cycle is undermined.

Web shell hunting should extend beyond the campaign's signature .aspx files. CISA confirmed that attackers also deployed .dll payloads during exploitation — binary modules that are significantly harder to detect than text-based web shells and can survive standard file scans. Organizations should audit IIS worker process (w3wp.exe) behavior for unexpected child processes, and scan SharePoint directories for any unauthorized .dll files that appeared during the exposure window.

Organizations should also be aware that Microsoft's recommended AMSI (Antimalware Scan Interface) mitigation has known limitations for this exploit chain. WatchTowr Labs confirmed that CVE-2025-53770 can be exploited in a way that bypasses AMSI entirely. WatchTowr CEO Benjamin Harris stated publicly that some organizations were enabling AMSI instead of patching and called this approach dangerous. AMSI should be treated as a supplementary layer of defense, not as a substitute for patching. Public proof-of-concept exploits will trigger AMSI detection, which can mislead administrators into believing their systems are protected when a sophisticated attacker using modified payloads would not be stopped.

SOC teams should implement active monitoring for ToolShell's specific initial access signatures: HTTP POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit with a Referer header set to /_layouts/SignOut.aspx. This header spoofing technique is the mechanism that bypasses SharePoint's request validation, and it is the single most reliable network-level indicator of a ToolShell exploitation attempt. Any match warrants immediate investigation and host isolation.

The threat model for ToolShell extends beyond espionage. Microsoft confirmed that Storm-2603, a China-based threat actor, used the ToolShell chain to deploy Warlock ransomware — a strain that Trend Micro researchers linked to the LockBit 3.0 codebase. Organizations that were exposed during the exploitation window should hunt not only for espionage indicators such as credential theft and data exfiltration, but also for ransomware staging artifacts: domain trust enumeration via nltest (T1482), LSASS credential dumping (T1003.001), Group Policy abuse for payload distribution (T1484.001), and lateral movement via Impacket WMI execution (T1570). A compromised SharePoint server is deeply integrated with other Microsoft services including Teams, OneDrive, Exchange, and Active Directory, which means an attacker who gains a foothold in SharePoint can potentially pivot into the broader organizational environment. The full set of techniques observed in this campaign is cataloged in MITRE ATT&CK under Campaign C0058.

Finally, organizations running end-of-life SharePoint versions — Server 2010 and Server 2013 — should be aware that these versions are affected by the ToolShell vulnerability family but will not receive patches. CISA's guidance is unambiguous: disconnect public-facing EOL SharePoint instances from the internet immediately. There is no safe mitigation path for unsupported versions.

For organizations aligning their remediation and patching practices with federal standards, NIST SP 800-40 Rev. 4 (Guide to Enterprise Patch Management Planning) provides the framework for operationalizing the kind of emergency patching cycle that ToolShell demands — including guidance on prioritizing patches by risk, managing workarounds for systems that cannot be immediately updated, and validating that patches have been successfully applied. NIST SP 800-61 Rev. 3 (Incident Response Recommendations and Considerations for Cybersecurity Risk Management), updated in April 2025 to align with the NIST Cybersecurity Framework 2.0, provides the procedural framework for the incident response activities described throughout this section: evidence preservation during containment, coordination with external parties including CISA, post-incident documentation, and lessons-learned integration into future preparedness.

Frequently Asked Questions About MAPP

What is the Microsoft Active Protections Program (MAPP)?

MAPP is a program run by the Microsoft Security Response Center (MSRC) that shares advance vulnerability information with vetted security vendors before Microsoft's monthly Patch Tuesday update. This gives participating vendors time to build detection signatures, update endpoint protections, and deploy defenses to their customers before the public patch is released — closing the window that attackers use to exploit unpatched systems.

How does MAPP work and what are its tiers?

MAPP has four tiers. MAPP Entry is for partners with mandatory government disclosure requirements and provides general vulnerability information six hours before Update Tuesday without proof-of-concept code. MAPP Entry+ provides guidance 24 hours before Update Tuesday for new partners without mandatory disclosure obligations. MAPP ANS (Advance Notification Service) gives qualified partners detailed guidance five days before Update Tuesday. MAPP Validate is invite-only, where highly trusted partners actively test and improve Microsoft's protective guidance. A separate MAPP for Responders track gives incident responders and CERTs access to clean file hashes and malicious URL feeds.

Who can join MAPP?

MAPP is open to commercial security software providers that actively protect Microsoft customers. Applicants must sign an NDA, follow coordinated vulnerability disclosure practices, demonstrate the ability to protect pre-release data, and build their own protections from MAPP guidance rather than relying on third-party signatures. Organizations that build offensive security tools or exploit kits are disqualified. Partners must also disclose any obligations to report vulnerabilities to government authorities.

Was MAPP involved in the 2025 SharePoint ToolShell attacks?

Microsoft investigated whether a MAPP leak enabled the 2025 ToolShell campaign. Microsoft notified MAPP partners of the SharePoint vulnerabilities (CVE-2025-49704 and CVE-2025-49706) in three waves between June 24 and July 7, 2025. Exploitation was detected on July 7 — the same day as the final notification wave and one day before the public patch. Dustin Childs of Trend Micro's Zero Day Initiative stated that the likeliest explanation was that someone inside MAPP used the advance information to build the exploits. Microsoft attributed the campaign to three Chinese threat actor groups: Linen Typhoon, Violet Typhoon, and Storm-2603.

Why did Microsoft stop sharing PoC exploit code with Chinese MAPP partners?

China's 2021 Cybersecurity Vulnerability Reporting Regulations require companies operating in China to report discovered vulnerabilities to the Ministry of Industry and Information Technology (MIIT) within 48 hours. China's 2017 National Intelligence Law additionally requires all Chinese companies to support, assist, and cooperate with national intelligence efforts. These dual obligations are structurally incompatible with MAPP's NDA requirement to protect pre-patch data for up to two weeks. Following the 2025 SharePoint attacks, Microsoft announced on August 20, 2025 that partners in countries with mandatory government disclosure requirements — including China — would no longer receive proof-of-concept exploit code. They now receive only general written descriptions at the time public patches are released.

What is ToolShell and why does it matter for SharePoint administrators?

ToolShell is an exploit chain targeting on-premises Microsoft SharePoint servers, involving four CVEs: CVE-2025-49704, CVE-2025-49706, CVE-2025-53770 (CVSS 9.8), and CVE-2025-53771. The chain enables unauthenticated remote code execution and allows attackers to steal ASP.NET machine keys. With a stolen machine key, an attacker can forge valid authentication tokens and impersonate any user — including administrators — even after patches are applied. CISA guidance specifies that remediation requires rotating machine keys before patching, then again after patching, followed by an IIS server restart. Patching alone is not sufficient.

How many organizations were compromised in the 2025 SharePoint attacks?

Over 400 organizations worldwide were compromised in the 2025 ToolShell campaign, spanning finance, education, energy, and healthcare sectors across Asia, Europe, and the United States. High-profile victims included the U.S. National Nuclear Security Administration, the agency responsible for the design and maintenance of the American nuclear weapons stockpile. Officials confirmed that no classified information was taken.

When was MAPP created and how has it evolved?

Microsoft launched MAPP in 2008 as part of the Microsoft Security Response Center's broader effort to coordinate vulnerability disclosure with the security industry. The program initially operated with a simpler tier structure and was later expanded to include Entry, Entry+, ANS, Validate, and Responders tiers. At launch, the program's primary goal was to give antivirus and IDS/IPS vendors enough lead time to ship detection signatures before attackers could reverse-engineer public patches. The 2025 reforms represent the most significant structural change since the program's inception, introducing jurisdiction-based access controls that restrict which partners can receive proof-of-concept code based on their country's legal requirements.

Do other tech companies have programs similar to MAPP?

Other major technology vendors coordinate with security partners before public vulnerability disclosures, but none operate a program with MAPP's scale, formalization, or monthly cadence. Apple shares pre-release vulnerability data with select partners under NDA during critical patch cycles. Google's Project Zero enforces a strict 90-day disclosure deadline and shares findings through coordinated disclosure. Cisco coordinates through Cisco Talos. These programs are generally smaller, less formalized, and do not deliver recurring monthly pre-patch intelligence to over 100 global partners the way MAPP does. MAPP is unique in its tier structure, its reporting requirements, and the breadth of its partner ecosystem.

Has Microsoft confirmed who leaked MAPP data in the 2025 incident?

As of this writing, Microsoft has not publicly attributed the 2025 MAPP leak to a specific company or individual. The company confirmed that three Chinese threat actor groups exploited the SharePoint vulnerabilities and acknowledged that exploitation timing aligned with MAPP notification waves. Unlike the 2012 incident where Hangzhou DPtech was publicly expelled, no public removal has been announced in connection with the 2025 case. Microsoft's subsequent policy change — restricting access for all partners in jurisdictions with mandatory disclosure laws — suggests the company addressed the problem as a structural issue rather than targeting a single actor.

Are countries other than China affected by the August 2025 MAPP restrictions?

Yes. Microsoft's restriction applies to partners in any country with mandatory government vulnerability disclosure requirements, not only China. While China is the primary country affected due to having the largest concentration of MAPP members subject to such laws, other jurisdictions with similar requirements — including Russia, which requires vulnerability reporting to FSTEC — also fall within scope. The determining factor is whether a country's domestic law compels MAPP partners to share pre-release vulnerability data with government authorities.

What should SharePoint administrators do right now in response to ToolShell?

Organizations running on-premises SharePoint Server 2016, 2019, or Subscription Edition should ensure all four ToolShell CVEs are patched (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771). Critically, CISA guidance specifies that ASP.NET machine keys must be rotated before applying patches, then rotated again after patching using Set-SPMachineKey or the Machine Key Rotation Job in Central Administration. Before restarting IIS with iisreset.exe, administrators must manually inspect applicationHost.config and web.config for malicious module entries — CISA warned that skipping this step causes attacker-loaded modules to persist and reload. Beyond the signature .aspx web shells (spinstall0.aspx, spinstall1.aspx, spinstall2.aspx), organizations should scan for unauthorized .dll payloads, which are harder to detect. AMSI should be enabled in Full Mode as a supplementary defense but not treated as a substitute for patching — WatchTowr Labs confirmed that CVE-2025-53770 can bypass AMSI entirely. SOC teams should monitor for POST requests to /_layouts/15/ToolPane.aspx with a Referer of /_layouts/SignOut.aspx, and hunt for ransomware staging indicators, as Storm-2603 used ToolShell to deploy Warlock ransomware. SharePoint Server 2010 and 2013 are affected but will not receive patches and must be disconnected from the internet. SharePoint Online customers are not directly affected.

How is MAPP different from Microsoft's bug bounty program?

MAPP and Microsoft's bug bounty program serve opposite directions of information flow. The bug bounty program pays independent security researchers to find and report vulnerabilities to Microsoft. MAPP sends vulnerability information from Microsoft outward to vetted security vendors so they can build defenses. Bug bounty participants discover vulnerabilities; MAPP participants consume vulnerability data to protect customers. The two programs intersect in the disclosure timeline: a vulnerability reported through the bug bounty program may eventually be shared with MAPP partners as part of the pre-patch notification cycle, as happened with the SharePoint vulnerabilities originally demonstrated at Pwn2Own Berlin 2025.

Key Takeaways

1. MAPP exists to close the defender gap: The program gives vetted security vendors advance access to vulnerability data so they can build and ship protections before public patches drop. Without it, defenders start the race at the same time as attackers who reverse-engineer patch releases.
2. Four tiers define access and obligation: Entry is for partners with mandatory government disclosure obligations and provides general information six hours before Update Tuesday, without PoC code. Entry+ is for partners without those obligations and provides more detailed guidance 24 hours before Update Tuesday. MAPP ANS provides detailed guidance five days before Patch Tuesday. MAPP Validate is invite-only and involves actively improving Microsoft's guidance. Access to PoC code is reserved for partners without mandatory government disclosure obligations.
3. The program has a documented leak history: MAPP-related leaks were confirmed in 2012, suspected in 2021, and credibly attributed in 2025. Each incident involved Chinese participants and pre-patch vulnerability data reaching nation-state actors.
4. Chinese law creates an irresolvable conflict: China's 2021 vulnerability reporting regulation requires disclosure to MIIT within 48 hours, and its 2017 National Intelligence Law requires companies to cooperate with state intelligence efforts. This dual obligation is structurally incompatible with holding MAPP pre-patch data under NDA for up to two weeks. The conflict is not a matter of individual bad actors — it is built into the legal framework.
5. Microsoft's August 2025 reform changed access, not membership: Chinese MAPP participants were not expelled. They were downgraded to general written descriptions at patch-release time, removing PoC access while preserving their formal membership. The program's value to defenders globally was preserved; the most dangerous attack surface was reduced.
6. Stolen machine keys change the patching calculus: The ToolShell campaign demonstrated that certain SharePoint attacks can establish persistence that survives patching. Organizations running on-premises SharePoint should treat machine key integrity as an incident response priority, not just a patching one.

MAPP represents a genuinely difficult problem in applied security: how do you share sensitive information broadly enough to enable effective defense, without creating a surface that sophisticated adversaries can exploit? The program's 2025 crisis did not reveal a failure of concept. It revealed a failure to account for the legal and geopolitical environment in which a global vulnerability-sharing program necessarily operates. The reforms that followed are a correction, not an indictment. The question going forward is whether those reforms hold — and whether they are enough.