Attackers are actively scanning for enterprise servers running vulnerable Microsoft SharePoint versions that are easily exploitable with a single HTTP request to remotely run arbitrary code, security researchers warn.
A patch for the vulnerability was issued by Microsoft in February this year but administrators have been slow to deploy the fix.
Opensecurity.global reasearcher Kevin Beaumont added support for the SharePoint vulnerability in his worldwide network of honeypots, and observed multiple attacks very quickly.
A significant number of enterprise SharePoint servers remain exposed to the vulnerability that is actively exploited in the wild, Beaumont cautioned.
The seriousness of the flaw may have been underestimated as Beaumont says it requires no authentication on vulnerable systems, and should have a high Common Vulnerabilities Scoring System (CVSS) rating of 9.8.
Pretty good example here of CVE-2019-0604, it's a single HTTP request -> code execution on vulnerable systems. https://t.co/w9X6eGsGsF— Kevin Beaumont (@GossiTheDog) December 10, 2019
Microsoft warned in February that the critical bug exists in multiple variants of SharePoint Server, with no mitigations or workaround being available.
Security vendor AT&T's AlienLabs found several attempts at exploiting the bug, including planting malware and spyware by nation-state sponsored actors with attacks ongoing since May.
By uploading specially crafted SharePoint application package, attackers can take advantage of the unpatched servers not verifying source markup, to run arbitrary code.