SharePoint Servers Now Actively Targeted by CVE-2019-0604 Exploit

A "Critical"-rated vulnerability in SharePoint Server versions that Microsoft issued a patch for back in March is now getting actively targeted, according to some security authorities.

Attackers are installing China Chopper Web shells on SharePoint Servers to carry out remote code execution attacks. Potentially affected SharePoint products include all versions, from SharePoint Server 2010 through SharePoint Server 2019, as described in Microsoft's Security Advisory CVE-2019-0604.  

Christopher Doman, a security researcher at AlienVault, raised the alarm about the active targeting in a Tweet on Friday. He cited an April 23 alert by the Canadian Centre for Cyber Security, as well as an undated alert by Saudi Arabia's National Cyber Security Center, as indicating that the targeting was active. Security researcher Kevin Beaumont commented in that post that the exploit isn't public yet, but that "some APT [advanced persistent threat] and crimeware groups are already using it, i.e. ones with skills."

The vulnerabilities were publicly described in a March 13 Trend Micro Zero Day Initiative (ZDI) blog post by researcher Markus Wulftange, who described leveraging the XMLSerializer in SharePoint. The proof-of-concept attack is highly technical, perhaps making it seem less likely to occur.

Microsoft first published its CVE-2019-0604 security advisory in February. It first released security updates for the SharePoint vulnerability on March 12, but later sent patches out again on April 25, per the security bulletin's history. However, Wulftange described Microsoft sending the patch out twice in March because Microsoft had missed fixing one of the flaws.

In any case, authorities are now suggesting that the SharePoint Server flaw is being actively targeted, which apparently wasn't the case back in March.

In other SharePoint Server patch news, Microsoft warned IT pros earlier this month that there are minimum cumulative update patch levels to maintain for both SharePoint Server 2013 and SharePoint Server 2016. Organizations need to have the April 2018 and May 2018 Cumulative Updates installed, respectively, to keep their SharePoint farms supported.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Microsoft Warns SameSite Cookie Changes Could Break Some Apps

    IT pros could face Web application issues as early as next month with the implementation of a coming SameSite Web change, which will affect how cookies are used across sites.

  • Populating a SharePoint Document Library by E-Mail, Part 1

    While Microsoft doesn't allow you to build a SharePoint Online document library using e-mail, there is a roundabout way of getting the job done using the tools that are included with Office 365. Brien shows you how.

  • Microsoft Previews New App Reporting and Consent Tools in Azure AD

    Microsoft last week described a few Azure Active Directory improvements for organizations wanting to connect their applications to Microsoft's identity and access service.

  • Free Software Foundation Asks Microsoft To Release Windows 7 Code

    The Free Software Foundation this week announced that it has established a petition demanding that Microsoft release its proprietary Windows 7 code as free software.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.