Microsoft SharePoint Server Flaw Actively Exploited in the Wild

A remote code execution vulnerability in Microsoft SharePoint (CVE-2019-0604) is being actively exploited in the wild by multiple threat actors who are leveraging the flaw to deliver malware.

SharePoint is a collaboration tool that integrates with Microsoft Office. Many organizations run SharePoint Server, which is installed on their IT infrastructure to give greater control of SharePoint. If the flaw is exploited, it could give an attacker continuous access to the system and potentially, internal networks.

The attacks have been identified by security researchers at AT&T Alien Labs, and alerts about the current wave of attacks have been reported by the Canadian Center for Cyber Security and the Saudi Arabia National Cyber Security Center.

The flaw was identified Markus Wulftange of Trend Micro’s Zero Day initiative (ZDI) who reported the flaw to Microsoft. Microsoft issued a patch for the flaw in February and a second patch in March after it was discovered the first patch was not effective at preventing the flaw from being exploited.

Wulftange released proof-of-concept code for exploiting the flaw on March 13, the day after Microsoft issued its second patch. Several other PoCs have since been released, although none work straight out of the box and require tweaking. Should a tweaked POC be released, less skilled hackers could start exploiting the vulnerability and attacks would likely soar.

The flaw is due to insufficient checks on the source markup of an application package. The flaw can be remotely exploited without the need for authentication if an attacker uploads a specially crafted SharePoint application package to a vulnerable version of the software. If exploited, an attacker could run arbitrary code in the context of the SharePoint application pool and server farm account.

The first attacks exploiting the vulnerability were identified in April and were used to deliver the China Chopper web shell to vulnerable servers. The attacks have been conducted mostly on organizations in the academic, heavy industry, technology, utility, and manufacturing sectors.  According to Saudi Arabia’s NCSC, the flaw was being exploited by several advanced hacking groups, including APT groups and cybercriminal groups, against Saudi Arabian organizations.

The China Chopper web shell was being used to deliver other hacking tools, including a new backdoor that can be used to run commands on compromised systems and steal information and download files.

AT&T researchers recently reported having identified a malware variant that is likely an earlier version of the second-stage malware used in attacks in Saudi Arabia.

All businesses that use a SharePoint server should ensure that the Microsoft patch is applied as soon as possible to prevent the vulnerability from being exploited.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of