Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2019-0604 is a critical remote code execution vulnerability in Microsoft SharePoint. According to the provided content, the flaw exists because SharePoint fails to properly check the source markup of an application package. Microsoft’s description states that successful exploitation requires uploading a specially crafted SharePoint application package to an affected SharePoint server. The content also notes reporting that the issue involves an XML deserialization component within SharePoint, and that exploitation in the wild commonly resulted in deployment of ASPX web shells such as China Chopper, AntSword variants, and other custom web shells. Successful exploitation allows arbitrary code execution in the security context of the SharePoint application pool and the SharePoint server farm account.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
3 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository contains a Python exploit script (cve-2019-0604-exp.py) targeting Microsoft SharePoint servers vulnerable to CVE-2019-0604, a remote code execution flaw. The exploit works by sending crafted requests to the SharePoint Picker.aspx endpoint, leveraging the vulnerability to upload a web shell (ua.aspx) to the server. Once the shell is uploaded, the script attempts to access it to verify successful exploitation. The main file is a standalone Python script, and the only other file is a README with references to further documentation. The exploit requires the attacker to provide the base URL of the target SharePoint instance. The script is operational and provides a working web shell if the target is vulnerable.
This repository is a proof-of-concept exploit for CVE-2019-0604, a remote code execution vulnerability in Microsoft SharePoint. The main code is in 'ConsoleApplication1/ConsoleApplication1/Program.cs', a C# console application that demonstrates how a malicious XAML file (t.xml) can be used to trigger code execution via SharePoint's deserialization of XAML. The exploit leverages the 'ObjectDataProvider' in XAML to launch arbitrary commands (e.g., 'cmd.exe /c calc'). The repository includes the XAML payload (t.xml) and the C# code that loads and executes it, simulating the vulnerable SharePoint behavior. No network endpoints or hardcoded IPs are present, but the attack vector is network-based, targeting SharePoint servers that process attacker-supplied XAML. The exploit is a POC and does not include weaponized or automated exploitation scripts.
This repository is a weaponized exploit for CVE-2019-0604, a critical remote code execution vulnerability in Microsoft SharePoint. The main exploit logic is in 'exploit.py', which automates the exploitation process, supporting both direct command execution and file upload (such as webshells) to the target SharePoint server. The exploit can operate in both authenticated and unauthenticated modes, depending on the target's configuration. It supports out-of-band (OOB) exfiltration of command output via DNS or HTTP channels, integrating with services like Burp Collaborator or requestbin.net. The payloads are serialized XAML objects that trigger the vulnerability, and the repository includes helper scripts for request parsing, payload generation, and OOB data handling. The structure is modular, with separate files for SharePoint-specific payload crafting ('sharepointkit.py'), OOB handling ('oob/collab_handler.py', 'oob/decoder.py'), and a sample PowerShell webshell ('oob/payload.ps1'). The exploit is operational and can be used to gain remote code execution, upload arbitrary files, and retrieve output from the target system.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
21 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Microsoft SharePoint vulnerability exploited by VOID MANTICORE/HomeLand Justice for initial access via public-facing SharePoint servers.
A Microsoft SharePoint vulnerability used by Scarred Manticore to establish initial access before handing operations off to Handala/Void Manticore.
A critical remote code execution (RCE) vulnerability in Microsoft SharePoint referenced as a target for detection via a Nuclei template.
A remote code execution vulnerability in Microsoft SharePoint Server that enables exploitation of vulnerable SharePoint servers for initial access and follow-on post-exploitation activity.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.