CVE-2022-30190 (Follina): Exploiting MSDT via Macro-less Word Docs for RCE
Rated a 7.8 high CVSS 3.x severity base score, CVE-2022-30190 (Follina) takes advantage of the MSDT (Microsoft Support Diagnostic Tool), an official tool built into all versions of Windows. Though officially issued on May 30, 2022, CVE-2022-30190 was detected in the wild as early as April 2022. Microsoft ignored a warning from the Crazyman_Army research team, which identified a zero-day RCE vulnerability in one of their products. The vulnerability submission report, titled VULN-065524, was closed and incorrectly classified as “fixed.”
— crazyman_army (@CrazymanArmy) May 30, 2022Security researcher Nao_sec was credited for uncovering the vulnerability. It was discovered during a VirusTotal search for files leveraging CVE-2021-40444. CVE-2022-30190’s public disclosure occurred on May 27, 2022, followed by Microsoft’s publication of mitigation guidance on May 30, 2022.
How CVE-2022-30190 (Follina) Exploits MSDT
Anyone can access the Microsoft Support Diagnostic Tool (MSDT) from the Start Menu by typing “MSDT” in the search bar. The opening dialog requires a passkey, which is typically provided by a Microsoft support professional. This tool enables remote diagnostics via the ms-msdt:// protocol. Attackers exploit this protocol to execute PowerShell commands, opening the door for malicious actions such as:- Running malware.
- Installing unauthorized programs.
- Altering or deleting data.
- Creating new accounts with the victim’s permissions.
Impacted Systems
CVE-2022-30190 has been confirmed in Office 2013, 2016, 2019, 2021, Office Pro Plus, and Office 365. As exploits leveraging it can be activated simply through the target opening a word document, any Network user is now a potential victim until the workarounds published by Microsoft Security Response Center have been applied and, most importantly, fully validated.Mitigation Steps Published by Microsoft
Microsoft guidance recommends disabling the MSDT URL protocol, effectively preventing attackers to take advantage of it for malicious purposes.Testing for CVE-2022-30190 Vulnerability
A PoC for locally testing for Follina Office RCE vulnerability can be found on Github Which produces these results:Cymulate’s Response to Follina
By June 2, Cymulate users could access a dedicated purple team scenario to validate their defenses against CVE-2022-30190. An Immediate Threat Intelligence Kit for Follina was published on June 1, enabling users to test their environments. Additionally, Cymulate users can:- Update their SIEM signature bank with multiple IoCs.
- Expand the breadth of purple team scenario validations to include Follina-specific exploits.
Validate Your Environment Today
Protect your organization by testing your exposure to CVE-2022-30190 with Cymulate’s comprehensive security validation tools. Start validating against this immediate threat now and ensure your defenses are resilient.Featured Resources
Subscribe to Our Blog
Subscribe now to get the latest insights, expert tips and updates on threat exposure validation.
Subscribe