CVE-2019-0604

CVE-2019-0604 is a critical-severity vulnerability in Microsoft Sharepoint Enterprise Server with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-20.

Key facts

Description

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0594.

CVE-2019-0604: Microsoft SharePoint Remote Code Execution via Malicious Application Package

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2019-0604
Vendor Microsoft
Product SharePoint
CWE CWE-20: Improper Input Validation
CVSS v3.1 9.8 CRITICAL
CVSS v2 7.5 HIGH
EPSS 0.99913
KEV Yes (added 2021-11-03)

Summary

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker can upload a crafted package to the server and achieve arbitrary code execution without authentication.

Background

Microsoft SharePoint is a web-based collaborative platform used for enterprise document management, intranets, and business intelligence. It supports application packages (.wsp and .app files) that administrators deploy to add features, web parts, and customizations. The package deployment workflow involves parsing and processing the markup and binaries contained within the uploaded file. CVE-2019-0604 is a critical flaw in this workflow that has been actively exploited in the wild.

Root Cause

CWE-20: Improper Input Validation.

SharePoint's application package deployment mechanism does not adequately validate the source markup of uploaded packages. The software fails to verify that the package contents and metadata are safe and trustworthy before processing them. Consequently, a malicious actor can embed harmful server-side code within a crafted package, and SharePoint will process and execute that code with the privileges of the server process.

Impact

With a CVSS v3.1 score of 9.8 (CRITICAL), this vulnerability is network-exploitable with low attack complexity, requires no privileges, and needs no user interaction. The impact is HIGH across all three pillars:

  • Confidentiality: Attackers can read sensitive data from the SharePoint farm, backend databases, and potentially connected systems.
  • Integrity: Attackers can modify site contents, configurations, and escalate privileges within the environment.
  • Availability: Attackers can disrupt service or render the farm inoperable.

The CVSS v2 score of 7.5 also reflects network accessibility, low complexity, and no required authentication, with partial impacts on confidentiality, integrity, and availability.

Exploitation Walkthrough (Defensive)

The typical attack sequence is:

  1. Reconnaissance: Identify externally exposed SharePoint farm management or deployment endpoints.
  2. Package Crafting: Create a malicious SharePoint application package (.wsp or .app) containing harmful server-side code.
  3. Upload: Deploy the crafted package to the SharePoint farm, often through legitimate administrative or delegated deployment channels.
  4. Execution: Trigger the package installation or feature activation, causing SharePoint to process the malicious markup and execute the embedded payload.
  5. Post-Exploitation: Leverage the compromised server for lateral movement, data exfiltration, or persistence within the network.

Ethics caveat: This description is provided for defensive awareness only. The exact technical details required to weaponize this vulnerability are deliberately omitted. Organizations should use this information to prioritize patching and detection, not to attempt unauthorized exploitation.

Affected and Patched Versions

From the available CPE data, the following products are affected:

  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Foundation 2013 SP1
  • Microsoft SharePoint Server 2010 SP2
  • Microsoft SharePoint Server 2019

Specific patched versions are not provided in the source data. Organizations should consult the Microsoft Security Response Center (MSRC) advisory for CVE-2019-0604 to obtain the definitive list of security updates and superseded patches.

Remediation

  1. Patching: Apply the latest SharePoint cumulative and security updates published by Microsoft for the affected versions. Refer to the MSRC advisory for CVE-2019-0604.
  2. Compensating Controls:
    • Restrict access to SharePoint Central Administration and deployment endpoints to trusted administrative hosts only.
    • Implement application whitelisting on SharePoint servers to prevent unauthorized code execution.
    • Enable and review SharePoint Unified Logging Service (ULS) logs for abnormal package deployment events.
    • Use Web Application Firewall (WAF) rules to detect and block anomalous .wsp/.app upload traffic.

Detection

  • Monitor ULS logs and Windows Event Logs for unexpected application package deployments or feature activations.
  • Look for suspicious process creation (e.g., w3wp.exe spawning unexpected child processes) on SharePoint servers.
  • Correlate network traffic to SharePoint administrative endpoints with known threat actor indicators.
  • Review the SharePoint solution gallery and farm solution stores for unrecognized or unsigned packages.

Assessment

CVE-2019-0604 carries an EPSS score of 0.99913, placing it in the highest probability of exploitation, and it has been listed in CISA's Known Exploited Vulnerabilities (KEV) catalog since 2021-11-03. This is not a theoretical vulnerability—it has been actively exploited in the wild.

Key lessons:

  1. Input validation is a first-class requirement: Any system that processes user-supplied or administrator-supplied packages must rigorously validate markup, binaries, and metadata before execution.
  2. Administrative endpoints are high-value targets: SharePoint deployment channels, even those intended for legitimate administrative use, must be hardened, monitored, and network-segmented.

References

Frequently asked questions

What is CVE-2019-0604?
A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0594.
How severe is CVE-2019-0604?
CVE-2019-0604 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2019-0604 being actively exploited?
Yes. CVE-2019-0604 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2019-0604?
CVE-2019-0604 primarily affects Microsoft Sharepoint Enterprise Server. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2019-0604?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2019-0604 have an EU (EUVD) identifier?
Yes. CVE-2019-0604 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-1370. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2019-0604 published?
CVE-2019-0604 was published on 2019-03-05 and last updated on 2026-06-17.

References

Affected products (4)

More vulnerabilities in Microsoft Sharepoint Enterprise Server

All CVEs affecting Microsoft Sharepoint Enterprise Server →

Other CWE-20 (Improper Input Validation) vulnerabilities

Browse all CWE-20 (Improper Input Validation) vulnerabilities →