Contact Contact Us


Various threat groups are actively exploiting a recently patched critical remote code execution vulnerability (CVE-2019-0604) in Microsoft SharePoint Server to implant the China Chopper web shell. The Sharepoint vulnerability resides in its failure to check the source markup of an application package. An attacker can therefore upload a specially crafted Sharepoint application package containing the China Chopper webshell and use it to access the compromised servers remotely. The webshell allows the threat actor to issue commands and run PowerShell scripts for lateral movement and reconnaissance in the compromised network as well as manage files on the victim server. Active exploitations were spotted targeting various sectors such as education, utility, heavy industry and manufacturing in Canada and Saudi Arabia. Organisation running Sharepoint servers are strongly encouraged to install Microsoft’s patch for CVE-2019-0604 to defend against potential attacks. If patching is not possible, it is recommended that vulnerable servers are accessible only on internal network and protected by a firewall.

[1] Kingdom of Saudi Arabia National Cyber Security Centre: Current Attacks Exploiting CVE-2019-0604 (Alert)
[2] Canadian Centre for Cyber Security: China Chopper Malware affecting SharePoint Servers (Alert)
[3] CVE-2019-0604 | Microsoft SharePoint Remote Code Execution Vulnerability (Patch)
[4] Sharepoint Vulnerability Exploited in the Wild (Detection Rules)
[5] CVE-2019-0604: Details of a Microsoft Sharepoint RCE Vulnerability (Exploit Code)

Ensign InfoSecurity Singapore
30A Kallang Place
Singapore 339213

Tel: +65 6788 2882
Fax: +65 6788 3883