Overview
Microsoft SharePoint contains a remote code execution vulnerability caused by failure to properly validate the source markup of application packages. An attacker can exploit this by sending a malicious application package to execute arbitrary code on affected SharePoint servers. This vulnerability has been actively exploited in the wild and is included in the CISA Known Exploited Vulnerabilities catalog. The vulnerability was disclosed on March 5, 2019. CISA has identified CVE-2019-0604 as being exploited and is known to be used in ransomware campaigns.
Technical details
Microsoft SharePoint fails to properly validate and sanitize the markup contained within application packages (*.app files) before execution. When a SharePoint administrator or authorized user installs an application package, the platform does not adequately check the source markup for malicious code. An attacker can craft a malicious application package containing arbitrary PowerShell code or other executable content that will be executed with the privileges of the SharePoint application pool identity when the package is deployed.
The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) , CWE-426 (Untrusted Search Path) andCWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')) .
The vulnerability has received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, indicating its high nature.
Impact
Successful exploitation allows an attacker to execute arbitrary code with the privileges of the SharePoint application pool identity (typically NETWORK SERVICE or a custom service account with elevated permissions). This can lead to: complete compromise of the SharePoint server, unauthorized access to sensitive SharePoint content and databases, lateral movement within the network, installation of persistent backdoors, and potential compromise of entire organizations. The attacker can read, modify, or delete sensitive data, including documents, lists, and user information stored in SharePoint. Given that SharePoint often serves as a central repository for organizational data, this vulnerability poses a critical risk to enterprise environments.
Mitigation and workarounds
Install the February 2019 Cumulative Update (CU) or later for your version of SharePoint Server. For SharePoint 2010: Apply KB4462221. For SharePoint 2013: Apply KB4462220. For SharePoint 2016: Apply KB4462219. For SharePoint 2019: Apply KB4462218. After applying patches, run SharePoint Products Configuration Wizard or use PowerShell to complete the patch installation. The following versions include the necessary fixes: SharePoint Server 2010: KB4462221 or later cumulative update, SharePoint Server 2013: KB4462220 or later cumulative update, SharePoint Server 2016: KB4462219 or later cumulative update, SharePoint Server 2019: KB4462218 or later cumulative update, SharePoint Online: Patched server-side by Microsoft (no client action required).
As temporary workarounds: disable the sharepoint app catalog or restrict permissions to install applications. in central administration, restrict 'manage app licenses' and application installation permissions to only trusted administrators.; implement network segmentation and access controls to restrict who can access sharepoint administration interfaces. limit network access to sharepoint servers from untrusted sources.; monitor sharepoint audit logs and application installation events for suspicious activity. look for unusual app deployments or installations from unexpected sources., and enforce the principle of least privilege for sharepoint service accounts. ensure the sharepoint application pool identity runs with minimal necessary permissions..
CISA's recommendation: Apply updates per vendor instructions.
Additional resources
Source: This report was generated using AI
