CVEs are Common Vulnerabilities and Exposures—unique identifiers for publicly known cybersecurity vulnerabilities. CVE-2022-30190, widely known as "Follina," is a remote code execution vulnerability that weaponizes an unlikely suspect: the Microsoft Support Diagnostic Tool (MSDT). This clever bug allows attackers to run malicious code just by getting a user to open a booby-trapped document.
This page will dissect how Follina works, its impact, and the steps you need to take to detect and mitigate it. Let's make sure your Office documents aren't secretly opening a backdoor.
What is CVE-2022-30190 Vulnerability?
CVE-2022-30190 (Follina) is a remote code execution (RCE) vulnerability that abuses the ms-msdt:// URL protocol. This protocol was designed to launch the Microsoft Support Diagnostic Tool, but attackers found a way to call it from within Microsoft Office documents. By crafting a malicious Word, RTF, or other Office file, an attacker can trigger MSDT to download and execute a malicious script or payload, all without needing macros.
When was it discovered?
The vulnerability was first reported to Microsoft in April 2022 but was initially dismissed. It gained public attention on May 27, 2022, after a security researcher discovered a malicious Word document exploiting the flaw in the wild. Microsoft officially assigned it CVE-2022-30190 and released guidance shortly after, with patches following in June 2022.
Affected Products & Versions
Product | Versions Affected | Fixed Versions/Updates |
Microsoft Windows | All supported versions prior to the patch | June 2022 Cumulative Updates |
Microsoft Office | Multiple versions (including 2013, 2016, 2019, 2021, and 365 Apps) | Patches included in Windows updates |
CVE-2022-30190 technical description
Follina works by embedding a malicious ms-msdt:// URL within an Office document. This is often done through a remote template loaded from an external server. When the victim opens the document, the winword.exe process reaches out to fetch the template. This template contains code that calls the ms-msdt URL scheme, passing it parameters that force the diagnostic tool to execute arbitrary code, such as a PowerShell script. Because MSDT is a trusted Microsoft binary, this can bypass some security defenses. The exploit even works if the user just previews the document in Windows Explorer's preview pane.
Tactics, Techniques & Procedures (TTPs)
The primary delivery method for Follina is phishing. Attackers send emails with malicious Office documents attached, often using lures related to invoices, legal notices, or other urgent business matters. Once the user opens the file, the exploit chain begins automatically. Threat actors have used Follina to drop a wide range of malware, including info-stealers, remote access trojans (RATs), and ransomware loaders.
Indicators of Compromise
A key indicator is suspicious child processes spawning from a Microsoft Office application (like winword.exe or excel.exe). Specifically, look for Office products launching msdt.exe. On the network side, monitor for outbound connections from Office applications to unknown domains, which could be fetching the remote template. EDR solutions can be configured to alert on this specific parent-child process relationship.
Known Proof-of-Concepts & Exploits
Proof-of-concept code for Follina was released publicly almost immediately, making it incredibly easy for attackers to adopt. Within days of its public disclosure, multiple state-sponsored and cybercrime groups were observed using Follina in active campaigns. Its simplicity and effectiveness against unpatched systems made it a popular choice for initial access attacks throughout 2022.
How to detect CVE-2022-30190 Vulnerability?
The most effective way to check for vulnerability is to ensure your Windows systems have the June 2022 security updates (or later) installed. Vulnerability scanners have dedicated plugins to detect unpatched systems. On the endpoint, you can hunt for IOCs by querying EDR logs for instances of Office applications spawning msdt.exe. Before patches were available, the primary detection was monitoring for this anomalous behavior.
Impact & risk of CVE-2022-30190 Vulnerability
The impact is significant. A successful Follina exploit gives an attacker an initial foothold on an endpoint with the user's privileges. From there, they can perform reconnaissance, escalate privileges (using other tools like PwnKit), and move laterally through the network. Because it bypasses the need for macros, it can trick even savvy users, posing a high risk of leading to a full-scale data breach or ransomware event.
Mitigation & remediation strategies
Patching is the ultimate fix. Apply the June 2022 (or later) security updates from Microsoft, which corrects the vulnerability. Before the patch was released, the primary workaround was to disable the ms-msdt URL protocol entirely by deleting its registry key. Additionally, enabling Attack Surface Reduction (ASR) rules, specifically the rule that blocks all Office applications from creating child processes, provides a strong defense against Follina and similar exploit techniques.
CVE-2022-30190 Vulnerability FAQs
Protect What Matters
