Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft SharePoint Vulnerability Exploited in the Wild

A critical vulnerability in Microsoft’s SharePoint collaboration platform has been exploited in the wild to deliver malware.

A critical vulnerability in Microsoft’s SharePoint collaboration platform has been exploited in the wild to deliver malware.

The security hole, tracked as CVE-2019-0604, got its first patch in February and another one in March after the first fix turned out to be incomplete. Microsoft described the issue as a remote code execution vulnerability caused by the software’s failure to check the source markup of an application package. It can be exploited without the need for authentication.

“An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account,” Microsoft said in an advisory.

Markus Wulftange, the researcher who reported the flaw to Microsoft through Trend Micro’s Zero Day Initiative (ZDI), disclosed details and proof-of-concept (PoC) code on March 13, one day after Microsoft released the second round of patches.

Several PoC exploits were later made public and the first attacks exploiting CVE-2019-0604 were apparently spotted in early April.

The Canadian government’s Canadian Center for Cyber Security published an alert on April 23 to warn organizations that the SharePoint vulnerability had been exploited to deliver the China Chopper web shell to affected servers.

“Trusted researchers have identified compromised systems belonging to the academic, utility, heavy industry, manufacturing and technology sectors,” the agency said.

China Chopper, which has been around since 2012, is one of the five most commonly used hacking tools, according to a report published last year by Five Eyes cybersecurity agencies.

Saudi Arabia’s National Cyber Security Center issued an alert last week to warn organizations of attacks targeting the same vulnerability and delivering the same China Chopper web shell. The Saudi agency said it had spotted several “advanced groups” exploiting the flaw, mainly against organizations within the country.

The agency said the attackers used the web shell to deliver other tools, including what it described as a new and custom backdoor.

Researcher Kevin Beaumont has pointed out that the publicly available exploits don’t work out of the box. “If that changes I think this will be one of the biggest vulns in years. It would own a lot of enterprises. Like, a LOT,” the expert warned.

The vulnerability appears to have been exploited by both advanced persistent threat (APT) actors and financially-motivated cybercrime groups — some links have been found to a notorious group tracked as FIN7, which was recently spotted using new malware.

AT&T Alien Labs reported on Friday that it had found what appeared to be an earlier version of the backdoor spotted by the Saudi agency. The malware, shared by someone in China, allows attackers to execute commands on compromised systems and download or upload files.

Related: Most SharePoint Installations Vulnerable to XSS Attacks

Related: WinRAR Vulnerability Exploited to Deliver New Malware

Related: Windows Zero-Day Exploited by FruityArmor, SandCat Threat Groups

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.