⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-05-03.

CVE-2019-0604Improper Input Validation in Microsoft Sharepoint Enterprise Server

CWE-20Improper Input Validation25 documents15 sources
Severity
9.8CRITICALNVD
CNA8.8
EPSS
94.4%
top < 0.01%
CISA KEV
KEVRansomware
Added 2021-11-03
Due 2022-05-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
6
Microsoft Sharepoint Enterprise ServerMicrosoft Sharepoint FoundationMicrosoft Sharepoint Server+3 more
Timeline
PublishedMar 5
KEV addedNov 3
KEV dueMay 3
Latest updateMay 13
CISA Required Action: Apply updates per vendor instructions.

Description

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0594.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages6 packages

NVDmicrosoft/sharepoint_server2010, 2019+1
CVEListV5microsoft/microsoft_sharepoint_server2010 Service Pack 2, 2019+1
CVEListV5microsoft/microsoft_sharepoint_foundation2013 Service Pack 1

Patches

Patch: portal.msrc.microsoft.comPatch: portal.msrc.microsoft.com

🔴Vulnerability Details

3
GHSA
GHSA-6mr5-xh3f-7vqm: A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka2022-05-13
CVEList
CVE-2019-0604: A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka2019-03-06
VulnCheck
Microsoft SharePoint Remote Code Execution Vulnerability2019

💥Exploits & PoCs

2
Exploit-DB
Microsoft SharePoint - Deserialization Remote Code Execution2020-01-21
Nuclei
Microsoft SharePoint - Remote Code Execution

🔍Detection Rules

1
Suricata
ET WEB_SPECIFIC_APPS Possible SharePoint RCE Attempt (CVE-2019-0604)2019-05-10

📋Vendor Advisories

2
CISA
Microsoft SharePoint Remote Code Execution Vulnerability2021-11-03
Microsoft
Microsoft SharePoint Remote Code Execution Vulnerability2019-02-12

🕵️Threat Intelligence

11
Trendmicro
Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability2021-04-27
Trendmicro
Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability2021-04-27
Trendmicro
Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability2021-04-27
Trendmicro
Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability2021-04-27
Qualys
Unpacking the CVEs in the FireEye Breach – Start Here First2021-02-01

📄Research Papers

1
arXiv
Linking Threat Tactics, Techniques, and Patterns with Defensive Weaknesses, Vulnerabilities and Affected Platform Configurations for Cyber Hunting2021-02-10

💬Community

2
HackerOne
Remote Code Execution - Unauthenticated Remote Command Injection (via Microsoft SharePoint CVE-2019-0604)2020-05-11
HackerOne
Store Development Resource Center was vulnerable to a Remote Code Execution - Unauthenticated Remote Command Injection (CVE-2019-0604)2019-12-12
CVE-2019-0604 — Improper Input Validation in Microsoft | cvebase