Microsoft SharePoint CVE-2019-0604 flaw exploited in the wild

Pierluigi Paganini May 11, 2019

According to researchers at AT&T Alien Labs, threat actors are attempting to exploit the CVE-2019-0604 Microsoft Sharepoint vulnerability in attacks in the wild.

AlienLabs has seen a number of reports related to the active exploitation of the CVE-2019-0604 vulnerability in Microsoft Sharepoint.

The CVE-2019-0604 vulnerability is a remote code execution flaw that is caused by the failure of SharePoint in verifying the source markup of an application package. An attacker could exploit the flaw by uploading a specially crafted SharePoint application package to affected versions of the software.

“A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package.” reads the security advisory published by Microsoft. “An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.”

“Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected versions of SharePoint.”

AT&T Alien Labs researchers reported attempts of exploitation against organizations in Saudi Arabia and Canada.

A report by the Saudi Cyber Security Centre suggests threat actors are primarily targeting organizations within the kingdom. The Canadian Cyber Security Centre reported similar attacks aimed at delivering the China Chopper web-shell to ensure persistence in the target networks.

“AlienLabs has identified malware ( that is likely an earlier version of the second-stage malware deployed in the Saudi Intrusions.” reads the analysis published AlienVault. “This malware sample was shared by a target in China.”

The malware supports several commands, including downloading and uploading files, that receives at http://$SERVER/Temporary_Listen_Addresses/SMSSERVICE.


According to the experts, one user on Twitter reported that source of attacks was the IP address 194.36.189[.]177. which was previously associated with FIN7 cybercrime group.

The good news for Microsoft users is that the tech giant already issued a patch for the CVE-2019-0604 vulnerability in the Patch Tuesday updates for February 2019.

According to the experts, multiple threat actors are attempting to exploit CVE-2019-0604 vulnerability.

AT&T Alien Labs researchers published Yara rules for the detections of the exploit code used by the attackers here:

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – CVE-2019-0604, Microsoft Sharepoint

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment