Microsoft SharePoint vulnerability CVE-2019-0604 is being actively exploited by attackers.
Microsoft released patches for this vulnerability in security updates earlier this year, however any system that remains unpatched is vulnerable to this attack.
The following SharePoint servers are vulnerable if unpatched:
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint Foundation 2010 Service Pack 2
- Microsoft SharePoint Foundation Service Pack 1
- Microsoft SharePoint Server 2010 Service Pack 2
- Microsoft SharePoint Server 2013 Service Pack 1
- Microsoft SharePoint Server 2019
What this means
Organisations tracking these incidents have noted that attackers compromise vulnerable SharePoint servers, and install a version of the ChinaChopper webshell. This allows attackers to carry out remote code execution attacks.
What to look for
How to tell if you're affected
The Canadian Centre for Cyber Security has published some indicators of compromise regarding this attack.
What to do
CERT NZ recommends you patch any Microsoft SharePoint servers that are not up-to-date.
If you are unable to apply these security updates, we recommend you use other security controls to mitigate this risk – primarily ensuring your SharePoint Service is not accessible from the internet.
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at firstname.lastname@example.org or call the MBIE media team on 027 442 2141.