CVE-2019-0604

CRITICAL KEV RANSOMWARE NUCLEI

Microsoft SharePoint - Remote Code Execution via Application Package Source Markup

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-0604 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021, with confirmed use in ransomware campaigns. EIP tracks 8 public exploits from researchers including Voulnet, linhlhq, k8gege. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit targets a deserialization vulnerability in SharePoint's Picker.aspx page, allowing remote command execution by crafting a malicious payload. The script serializes commands into a specific format and sends them to the target URL.

Description

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0594.

Exploits (8)

exploitdb WORKING POC
by Voulnet · pythonremotewindows
https://www.exploit-db.com/exploits/48053

This exploit targets a deserialization vulnerability in SharePoint's Picker.aspx page, allowing remote command execution by crafting a malicious payload. The script serializes commands into a specific format and sends them to the target URL.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft SharePoint (2010, 2013, 2016, 2019)
No auth needed
Prerequisites: Target SharePoint server with vulnerable Picker.aspx endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 133 stars
by linhlhq · poc
https://github.com/linhlhq/CVE-2019-0604

This PoC exploits CVE-2019-0604, a SharePoint deserialization vulnerability, by crafting a malicious payload using XAML and ObjectDataProvider to achieve remote code execution. The code demonstrates the encoding/decoding process for the exploit payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft SharePoint (versions affected by CVE-2019-0604)
Auth required
Prerequisites: Access to a vulnerable SharePoint instance · Ability to upload or inject malicious payloads
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 101 stars
by k8gege · remote
https://github.com/k8gege/CVE-2019-0604

This is a functional exploit for CVE-2019-0604, a SharePoint RCE vulnerability. The script constructs a malicious payload to achieve remote code execution via a deserialization flaw in SharePoint's Picker.aspx endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft SharePoint (versions affected by CVE-2019-0604)
No auth needed
Prerequisites: Target SharePoint server exposed to the internet or accessible · Picker.aspx endpoint reachable
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 30 stars
by boxhg · poc
https://github.com/boxhg/CVE-2019-0604

This repository provides a GUI tool to generate custom payloads for CVE-2019-0604, a SharePoint RCE vulnerability. It allows users to create serialized XML payloads for command execution via deserialization.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft SharePoint
Auth required
Prerequisites: Access to SharePoint server · Valid authentication credentials · Network access to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 7 stars
by Gh0st0ne · remote
https://github.com/Gh0st0ne/weaponized-0604

This repository contains a weaponized exploit for CVE-2019-0604, a SharePoint RCE vulnerability. It includes functionality for command execution, file upload, and out-of-band data exfiltration via DNS or HTTP.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft SharePoint (versions affected by CVE-2019-0604)
Auth required
Prerequisites: Access to SharePoint instance with vulnerable _layouts/15/picker.aspx endpoint · Valid credentials if NTLM authentication is required
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 3 stars
by m5050 · poc
https://github.com/m5050/CVE-2019-0604

This repository contains Sigma rules for detecting potential exploitation of CVE-2019-0604, a SharePoint RCE vulnerability, by monitoring for suspicious child processes spawned by IIS worker processes. The rules are designed for Sysmon logs and are marked as experimental.

Classification
Scanner 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Microsoft SharePoint
No auth needed
Prerequisites: Sysmon logging enabled · SharePoint server running vulnerable version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by likekabin · poc
https://github.com/likekabin/CVE-2019-0604_sharepoint_CVE

This PoC exploits CVE-2019-0604, a .NET deserialization vulnerability in SharePoint, by crafting a malicious payload using XAML and ObjectDataProvider to achieve remote code execution. The code demonstrates the encoding/decoding process for the exploit payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft SharePoint (versions affected by CVE-2019-0604)
Auth required
Prerequisites: Access to a vulnerable SharePoint instance · Ability to upload or inject malicious payloads
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by davidlebr1 · poc
https://github.com/davidlebr1/cve-2019-0604-SP2010-netv3.5

This repository contains a Proof of Concept (PoC) for CVE-2019-0604, a deserialization vulnerability in SharePoint 2010 SP2 running on .NET 3.5. The exploit generates a serialized payload to trigger remote code execution by leveraging the `EntityInstanceIdEncoder` class.

Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Microsoft SharePoint 2010 SP2 (.NET 3.5)
No auth needed
Prerequisites: Access to a vulnerable SharePoint 2010 SP2 instance · Ability to send crafted payloads to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Microsoft SharePoint - Remote Code Execution
CRITICALVERIFIEDby tree-chtsec,pszyszkowski
Shodan: cpe:"cpe:2.3:a:microsoft:sharepoint_server"

References (3)

Core 3
Core References
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/106914

Scores

CVSS v3 9.8
EPSS 0.9442
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2019-05-10
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2019-1370
Ransomware Use Confirmed
CWE
CWE-20
Status published
Products (4)
microsoft/sharepoint_enterprise_server 2016
microsoft/sharepoint_foundation 2013 sp1
microsoft/sharepoint_server 2010 sp2
microsoft/sharepoint_server 2019
Published Mar 05, 2019
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026