Microsoft SharePoint Server has become a prime target for sophisticated attackers. As new variants of SharePoint have been reported, AV, EDR, XDR, and other detection-based tools have required pattern-updates. Those that cannot keep up with the adversaries leave a costly “detection gap” for their users. This blog post has been revised at least three times to keep up with the variants. However, already deployed AppGuard agents have required no policy updates. AppGuard, with default policies, stops every reported attack variant.
As of July 24, 2025, on-premises installations are facing active exploitation of multiple critical vulnerabilities, including CVE-2025-53770, CVE-2025-53771, CVE-2025-49704, and CVE-2025-49706. Dubbed the “ToolShell” chain, these flaws—detailed in recent reports from The Hacker News, BleepingComputer, Dark Reading, SecurityWeek, and Infosecurity Magazine—have been weaponized since July 7, 2025, compromising over 400 organizations globally. Victims span U.S. federal agencies, state entities, energy companies, ports, shipping firms, universities, and telecom providers across North America, Europe, and Asia.
The impacts are severe: remote code execution, data exfiltration, and operational halts costing millions in downtime and remediation. With thousands of vulnerable instances still exposed, these exploits highlight the fragility of collaboration tools in enterprise environments—but proactive defenses can turn the tide.
Important Note for SharePoint Users Already Hit: readers lacking AppGuard should know that some AppGuard MSSPs deploy AppGuard AFTER a breach to suppress the malwares' activities. This is not a removal solution. MSSPs say it helps them fight the infection. There are reports that cyber defenders are finding it difficult to remove post-exploit malware.
Why Detection-Based Defenses Are Falling Short
Antivirus (AV), endpoint detection and response (EDR), and extended detection and response (XDR) tools have long been the go-to for endpoint protection, but they operate on a fundamental flaw: they must recognize the threat to stop it. In the recent SharePoint exploits reported across trade publications like BleepingComputer and The Hacker News, attackers evade pattern-matching by chaining zero-days with techniques like deserialization flaws, spoofing bypasses, living-off-the-land methods, and programmed ‘pauses’ to evade detection, creating detection gaps. False positives flood analysts with alerts, while false negatives prolong intrusions—global median dwell times remain around three weeks. Even after emergency patches, variants allow re-entry, as seen in attacks on ports and nuclear agencies. As breach volumes climb 26.8% year-over-year and ransomware variants surge, piling on more detection layers only escalates chaos, operational costs, and complexity without sealing the vulnerabilities.
Key Vulnerabilities and Impacts
| Vulnerability | Description | Impact |
| CVE-2025-53770 | Deserialization of untrusted data leading to unauthenticated RCE | Web shell deployment, data exfiltration |
| CVE-2025-53771 | Path traversal spoofing bypass | Authentication evasion, persistent access |
| CVE-2025-49704 | Code injection RCE | Arbitrary code execution, escalation |
| CVE-2025-49706 | Authentication spoofing | Unauthorized entry, chained attacks |
How the SharePoint Attacks Work: A Simple Metaphor for Non-Tech Readers
Picture your SharePoint server as a secure office building where teams share files like passing notes in a central hub. Attackers exploit a glitch in the door’s lock system, sneaking in without credentials. Once inside, they hide a secret camera in a utility room, which lets them roam freely, grabbing sensitive packages or tampering with the wiring. From there, they rifle through desks or use internal tools like automated messengers to pull in more gadgets. It’s a silent takeover, blending with everyday traffic to turn your collaborative space into a compromised stronghold.
Post-Exploit Actions Observed of Multiple Attack Variants
Multiple threat actors are employing different variants that exploit the SharePoint vulnerabilities. The table below summarizes a sampling of the most interesting post-exploit actions. Different attacks name files differently and vary their locations.
Every malware attack employs one or more malware techniques, each consists of one or more activities. Any activity involves an actor process performing a read, write, launch, or other action upon a target object, which can be a file, registry key, or another computing process. The actor process is formatted in bold. In the first row below, the actor process “w3wp.exe” wrote the target file “spinstall0.aspx” to its location.
| Activities | Purpose | Location | Actor Process Tree |
| spinstall0.aspx | This is a sneaky backdoor file (a web shell) that attackers upload to the server. Once there, it lets them run commands remotely, like downloading more tools or stealing data, all while pretending to be a normal web page. It’s the starting point for deeper hacks in these SharePoint attacks. | C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx | svchost.exe (parent IIS service) → w3wp.exe |
| IIS_Server_dll.dll | This is a custom DLL loaded into the web server to keep access alive. It acts like a hidden listener, receiving commands from attackers over the network (via HTTP or DNS) to run more malicious stuff without being noticed. | C:\Windows\System32\inetsrv\IIS_Server_dll.dll (or custom paths under IIS modules config). | svchost.exe → w3wp.exe → cmd.exe or PowerShell.exe |
| SharpHostInfo.x64.exe | This is a hacking tool dropped to scout the network—checking for other computers, users, or weak spots via protocols like NetBIOS or WMI. It helps attackers map out where to spread next. | C:\Windows\Temp\SharpHostInfo.x64.exe (or C:\Users\AppData\Local\Temp\SharpHostInfo.x64.exe). | svchost.exe → w3wp.exe → cmd.exe or PowerShell.exe |
| xd.exe | A fast proxy tool that connects back to the attackers’ servers, letting them control the compromised machine remotely or tunnel traffic for hiding their tracks. | C:\Windows\Temp\xd.exe. | svchost.exe → w3wp.exe → cmd.exe or PowerShell.exe |
| debug_dev.js | This file stores stolen server config data (like web.config contents), which attackers use to plan further moves or maintain access. | C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS\debug_dev.js (or 16 variant). | svchost.exe → w3wp.exe → cmd.exe |
| Registry Keys for Disabling Microsoft Defender | These keys turn off antivirus features, like real-time scanning, so ransomware can run without being caught. | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring |
svchost.exe → w3wp.exe → cmd.exe or PowerShell.exe |
| Scheduled Tasks for Persistence | These are automated jobs set up to run malicious code at regular intervals, keeping the attack alive even after reboots. | C:\Windows\System32\Tasks (XML file for the task); registry mirror at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree. | svchost.exe → w3wp.exe → cmd.exe or PowerShell.exe → schtasks.exe |
| Group Policy Objects (GPO) Modifications | Alters domain policies to push ransomware or other payloads to multiple machines at once. | C:\Windows\SYSVOL\sysvol\Policies\Machine\Scripts\Startup\ (script files for GPO). | svchost.exe → w3wp.exe → PowerShell.exe |
| Warlock Ransomware Binary | The main payload that encrypts files and demands ransom; dropped and run to lock data. | C:\Windows\System32\warlock.exe or C:\ProgramData\warlock.exe (or Temp variants). | svchost.exe → w3wp.exe cmd.exe or PowerShell.exe |
| Mimikatz | Steals Windows credentials from memory of C:\Windows\System32\lsass.exe | C:\Windows\Temp\mimikatz.exe or C:\Users\AppData\Local\Temp\mimikatz.exe | svchost.exe → w3wp.exe → cmd.exe or PowerShell.exe |
The Ubiquitous “Detection Gaps” Necessitate Controls-Based Endpoint Protection
Pattern-matching anti-malware technologies such as AV, EDR, XDR, and others look for familiar patterns in files, registry key values, IP addresses, Internet domains, etc. They strive to judge bad from good among practically infinite possibilities. Their patterns are constantly updated to catch up to what adversaries have done since the last update. It never stops. Adversaries prey upon the shortcomings of pattern-matching, changing their malware constantly. When these patterns do not match or when malware obfuscation techniques elude pattern recognition, the adversaries win.
To combat this reality, a shift is imperative: from reactive detection to controls-based protection that applies zero-trust principles WITHIN the endpoint. This method doesn’t rely on spotting malware; it enforces boundaries on what processes can run and what the running processes can do, blocking essential malicious actions like unauthorized file writes, registry tweaks, malicious library loads, memory writes, and/or memory thefts.
These SharePoint vulnerability exploit attacks are merely a recent example. Attackers seek zero-day and unpatched software application vulnerabilities to exploit. Thus, attackers hijack and/or abuse software applications to perform malicious actions that serve their goals with your software. In a world of zero-days, re-exploits, and polymorphic variants, enforcing boundaries with zero trust principles is essential to mitigating the risks from the ever-present detection gaps of AV, EDR, XDR, and other tools. Every enterprise needs controls-based endpoint protection to fortify their cyber stack.
How AppGuard’s Out-of-the-Box Policies Block the Attacks Detailed in Recent Trade Publications
AppGuard’s controls-based framework is tailored for threats like the recent SharePoint exploits reported in BleepingComputer and Dark Reading, neutralizing them at key stages without custom setup. Default policies contain high-risk processes—such as those managing web requests—restricting their ability to write malicious files to protected directories or access isolated stores. Launch controls prevent unauthorized executions from user- or app-writable areas. AppGuard default policies are stopping the observed variants too.
The following table illustrates how default “basic” policies for AppGuard stops each of the tabulated post-exploit activities. Some customers deploy AppGuard with a more aggressive set of default policies known as “lockdown”. Both are designed to work for all organizations.
| Activities | Location | Actor Process Tree | How AppGuard Succeeds |
| spinstall0.aspx | C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx | svchost.exe (parent IIS service) → w3wp.exe | Contain high-risk process |
| IIS_Server_dll.dll | C:\Windows\System32\inetsrv\IIS_Server_dll.dll (or custom paths under IIS modules config). | svchost.exe → w3wp.exe → cmd.exe or PowerShell.exe | Contain or prohibit high-risk processes |
| SharpHostInfo.x64.exe | C:\Windows\Temp\SharpHostInfo.x64.exe (or C:\Users\AppData\Local\Temp\SharpHostInfo.x64.exe). | svchost.exe → w3wp.exe → cmd.exe or PowerShell.exe | Contain or prohibit high-risk processes
Launch restrictions on high-risk folders |
| xd.exe | C:\Windows\Temp\xd.exe. | svchost.exe → w3wp.exe → cmd.exe or PowerShell.exe | Contain or prohibit high-risk processes |
| debug_dev.js | C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS\debug_dev.js | svchost.exe → w3wp.exe → cmd.exe | Contain or prohibit high-risk processes |
| Registry Keys for Disabling Microsoft Defender | HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring |
svchost.exe → w3wp.exe → cmd.exe or PowerShell.exe | Contain or prohibit high-risk processes |
| Scheduled Tasks for Persistence | C:\Windows\System32\Tasks (XML file for the task)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree |
svchost.exe → w3wp.exe → cmd.exe or PowerShell.exe → schtasks.exe | Contain or prohibit high-risk processes |
| Group Policy Objects (GPO) Modifications | C:\Windows\SYSVOL\sysvol\Policies\Machine\Scripts\Startup\ (script files for GPO). | svchost.exe → w3wp.exe → PowerShell.exe | Contain or prohibit high-risk processes |
| Warlock Ransomware Binary | C:\Windows\System32\warlock.exe
C:\ProgramData\warlock.exe (or Temp variants). |
svchost.exe → w3wp.exe cmd.exe or PowerShell.exe | Contain or prohibit high-risk processes
Launch restrictions on high-risk folders |
| Mimikatz | C:\Windows\Temp\mimikatz.exe
C:\Users\AppData\Local\Temp\mimikatz.exe |
svchost.exe → w3wp.exe → cmd.exe or PowerShell.exe | Contain or prohibit high-risk processes
Launch restrictions on high-risk folders |
Customizing YOUR AppGuard Policies for You, Makes Them Even More Effective
AppGuard best practices recommend customizing policies for their organization’s endpoints, which can be more aggressive in reducing the endpoint attack surface. AppGuard administrators can implement custom launch, containment, and isolation policies (aka, boundaries) to more aggressively shrink the attack surface beyond defaults. Examples specific to your endpoints can include:
- Further restricting SharePoint child processes to need-only during daily operations
- Additional restrictions on where YOUR SharePoint is allowed to read and write to folders, limiting it to only what it needs
- Prohibiting unnecessary OS utilities that YOUR SharePoint doesn’t need
- Add publisher-based launch/load restrictions to folders that YOUR SharePoint must be allowed to write to for normal operations
Why AppGuard Outshines Other Application Control and Containment Tools
To achieve protection comparable to AppGuard, alternative tools require over 10,000 rules per endpoint. That means they are more difficult to deploy initially and burdensome to maintain over time. AppGuard achieves this not with hiding complexity in the cloud but through an elegant, patented technological innovation. For comparison, most AppGuard agents protecting SharePoint deployments probably haven’t required a policy update in months, perhaps years. Most alternatives require frequent updates to keep up with updates, patches, and plug-ins. AppGuard auto-adapts to such changes without need of policy updates from the cloud or anywhere.
Many vendors emphasize pre-execution limits but neglect peri-execution controls, exposing gaps to injections or memory theft. AppGuard stands apart by delivering full-spectrum controls by default, across file, registry, and memory, with patented auto-adaptiveness that adjusts seamlessly—proving easier, faster, and more robust in practice.
Reducing Cyber Chaos and Operational Costs with AppGuard
Beyond halting attacks, AppGuard revolutionizes endpoint security by curbing the overload from detection-centric stacks. By intercepting malware techniques upfront, it reduces incidents, slashing alert fatigue, false positives, and dwell times. Case studies, like a major airline achieving zero successful attacks since 2019, show SOC hours cut by 66% and annual savings exceeding $750,000 in remediation and downtime. This allows detection tools to zero in on narrower risks and provides leeway for thorough patching, streamlining operations, easing staff burdens, and trimming cyber budgets—evolving defenses from reactive turmoil to efficient fortification.
Secure Your Endpoints Before the Next Breach Hits
Don’t let SharePoint exploits become your headline. Embrace controls-based protection today to stay ahead of evolving threats. Fortify your cyber stack by adding AppGuard—visit appguard.us for a deeper dive.