CVE-2019-0604
CVE-2019-0604 is a critical-severity vulnerability in Microsoft Sharepoint Enterprise Server with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-20.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 7.5
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2019-1370
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-20
- Affected product: Microsoft Sharepoint Enterprise Server
- Published:
- Last modified:
Description
A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0594.
CVE-2019-0604: Microsoft SharePoint Remote Code Execution via Malicious Application Package
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2019-0604 |
| Vendor | Microsoft |
| Product | SharePoint |
| CWE | CWE-20: Improper Input Validation |
| CVSS v3.1 | 9.8 CRITICAL |
| CVSS v2 | 7.5 HIGH |
| EPSS | 0.99913 |
| KEV | Yes (added 2021-11-03) |
Summary
A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker can upload a crafted package to the server and achieve arbitrary code execution without authentication.
Background
Microsoft SharePoint is a web-based collaborative platform used for enterprise document management, intranets, and business intelligence. It supports application packages (.wsp and .app files) that administrators deploy to add features, web parts, and customizations. The package deployment workflow involves parsing and processing the markup and binaries contained within the uploaded file. CVE-2019-0604 is a critical flaw in this workflow that has been actively exploited in the wild.
Root Cause
CWE-20: Improper Input Validation.
SharePoint's application package deployment mechanism does not adequately validate the source markup of uploaded packages. The software fails to verify that the package contents and metadata are safe and trustworthy before processing them. Consequently, a malicious actor can embed harmful server-side code within a crafted package, and SharePoint will process and execute that code with the privileges of the server process.
Impact
With a CVSS v3.1 score of 9.8 (CRITICAL), this vulnerability is network-exploitable with low attack complexity, requires no privileges, and needs no user interaction. The impact is HIGH across all three pillars:
- Confidentiality: Attackers can read sensitive data from the SharePoint farm, backend databases, and potentially connected systems.
- Integrity: Attackers can modify site contents, configurations, and escalate privileges within the environment.
- Availability: Attackers can disrupt service or render the farm inoperable.
The CVSS v2 score of 7.5 also reflects network accessibility, low complexity, and no required authentication, with partial impacts on confidentiality, integrity, and availability.
Exploitation Walkthrough (Defensive)
The typical attack sequence is:
- Reconnaissance: Identify externally exposed SharePoint farm management or deployment endpoints.
- Package Crafting: Create a malicious SharePoint application package (.wsp or .app) containing harmful server-side code.
- Upload: Deploy the crafted package to the SharePoint farm, often through legitimate administrative or delegated deployment channels.
- Execution: Trigger the package installation or feature activation, causing SharePoint to process the malicious markup and execute the embedded payload.
- Post-Exploitation: Leverage the compromised server for lateral movement, data exfiltration, or persistence within the network.
Ethics caveat: This description is provided for defensive awareness only. The exact technical details required to weaponize this vulnerability are deliberately omitted. Organizations should use this information to prioritize patching and detection, not to attempt unauthorized exploitation.
Affected and Patched Versions
From the available CPE data, the following products are affected:
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint Foundation 2013 SP1
- Microsoft SharePoint Server 2010 SP2
- Microsoft SharePoint Server 2019
Specific patched versions are not provided in the source data. Organizations should consult the Microsoft Security Response Center (MSRC) advisory for CVE-2019-0604 to obtain the definitive list of security updates and superseded patches.
Remediation
- Patching: Apply the latest SharePoint cumulative and security updates published by Microsoft for the affected versions. Refer to the MSRC advisory for CVE-2019-0604.
- Compensating Controls:
- Restrict access to SharePoint Central Administration and deployment endpoints to trusted administrative hosts only.
- Implement application whitelisting on SharePoint servers to prevent unauthorized code execution.
- Enable and review SharePoint Unified Logging Service (ULS) logs for abnormal package deployment events.
- Use Web Application Firewall (WAF) rules to detect and block anomalous .wsp/.app upload traffic.
Detection
- Monitor ULS logs and Windows Event Logs for unexpected application package deployments or feature activations.
- Look for suspicious process creation (e.g.,
w3wp.exespawning unexpected child processes) on SharePoint servers. - Correlate network traffic to SharePoint administrative endpoints with known threat actor indicators.
- Review the SharePoint solution gallery and farm solution stores for unrecognized or unsigned packages.
Assessment
CVE-2019-0604 carries an EPSS score of 0.99913, placing it in the highest probability of exploitation, and it has been listed in CISA's Known Exploited Vulnerabilities (KEV) catalog since 2021-11-03. This is not a theoretical vulnerability—it has been actively exploited in the wild.
Key lessons:
- Input validation is a first-class requirement: Any system that processes user-supplied or administrator-supplied packages must rigorously validate markup, binaries, and metadata before execution.
- Administrative endpoints are high-value targets: SharePoint deployment channels, even those intended for legitimate administrative use, must be hardened, monitored, and network-segmented.
References
Frequently asked questions
- What is CVE-2019-0604?
- A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0594.
- How severe is CVE-2019-0604?
- CVE-2019-0604 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2019-0604 being actively exploited?
- Yes. CVE-2019-0604 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2019-0604?
- CVE-2019-0604 primarily affects Microsoft Sharepoint Enterprise Server. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2019-0604?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2019-0604 have an EU (EUVD) identifier?
- Yes. CVE-2019-0604 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-1370. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2019-0604 published?
- CVE-2019-0604 was published on 2019-03-05 and last updated on 2026-06-17.
References
- http://www.securityfocus.com/bid/106914
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-0604
Affected products (4)
- cpe:2.3:a:microsoft:sharepoint_enterprise_server:2016:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:sharepoint_foundation:2013:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:sharepoint_server:2010:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Sharepoint Enterprise Server
- CVE-2020-1595 — Critical (CVSS 9.9): <p>A remote code execution vulnerability exists in Microsoft SharePoint where APIs aren't properly protected from…
- CVE-2020-1210 — Critical (CVSS 9.9): <p>A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source…
- CVE-2023-21716 — Critical (CVSS 9.8): Microsoft Word Remote Code Execution Vulnerability
- CVE-2020-1025 — Critical (CVSS 9.8): An elevation of privilege vulnerability exists when Microsoft SharePoint Server and Skype for Business Server…
- CVE-2025-47172 — High (CVSS 8.8): Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Office SharePoint…
- CVE-2025-47166 — High (CVSS 8.8): Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a…
All CVEs affecting Microsoft Sharepoint Enterprise Server →
Other CWE-20 (Improper Input Validation) vulnerabilities
- CVE-2026-48316 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48281 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48277 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48055 — Critical (CVSS 10.0): Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and…
- CVE-2026-34910 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS…
- CVE-2026-33587 — Critical (CVSS 10.0): Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and…
Browse all CWE-20 (Improper Input Validation) vulnerabilities →