A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run code with the privileges of the calling application.
FREQUENTLY ASKED
What is CVE-2022-30190 and why does it matter?
CVE-2022-30190 is a high-severity remote code execution vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT). It matters because it allows attackers to run arbitrary code with the privileges of a calling application, such as Microsoft Word, by utilizing the MSDT URL protocol. This can lead to unauthorized program installation, data modification, or account creation.
Which versions of the product are affected?
Affected versions include various builds of Windows 10 (10.0.17763.0, 10.0.19043.0, 10.0.20348.0), Windows Server, and legacy versions such as 6.1.0 (Windows 7), 6.2.9200.0 (Windows 8), and 6.3.9600.0 (Windows 8.1). Both client and server versions are impacted by this protocol handler flaw.
Has a patch been released for this vulnerability?
Yes, Microsoft has released official updates to address this vulnerability. Users and administrators are urged to apply the updates provided in the Microsoft Security Response Center (MSRC) update guide to mitigate the risk of remote code execution through the MSDT URL protocol.
What is the remediation deadline and what it means for compliance?
The remediation deadline for CVE-2022-30190 was 2022-07-05. For organizations following CISA directives or standard cybersecurity compliance frameworks, missing this deadline indicates a significant security gap, as the vulnerability is known to be used by ransomware groups and has an extremely high EPSS score.
How to check if an instance/deployment is affected?
To check if a deployment is affected, administrators should verify the version of Windows and cross-reference it with the list of affected builds (e.g., 10.0.17763.0, 10.0.19043.0). Additionally, check for the existence of the MSDT URL protocol handler and ensure that the June 2022 security updates or later have been successfully installed.
CVE-2022-30190, widely recognized in the security community as "Follina," represents a critical Remote Code Execution (RCE) vulnerability within the Microsoft Windows Support Diagnostic Tool (MSDT). This flaw arises when MSDT is invoked via the URL protocol from a calling application, most notably Microsoft Word. With a CVSS score of 7.8 and confirmed active exploitation by ransomware actors, this vulnerability demands immediate attention from IT security teams. Organizations must apply necessary updates by the remediation deadline of 2022-07-05 to maintain compliance and protect their infrastructure.
Vulnerability Profile
Field
Value
CVE ID
CVE-2022-30190
Affected Product & Versions
Windows 10 (17763.0, 19043.0, 20348.0), Windows 7 (6.1.0), Windows 8.1 (6.3.0), Windows Server
Local (requires user interaction with a remote file)
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
CWE IDs
CWE-610
Date Disclosed
2022-06-14
Remediation Deadline
2022-07-05
SSVC Exploitation status
Active
Known Ransomware Use
Known
EPSS Score & Percentile
0.93596 (99.8%)
Patch Available
Yes
Technical Deep Dive: The MSDT URL Protocol Chain
Understanding CWE-610 and Remote Code Execution
CVE-2022-30190 is categorized under CWE-610 (Exposure of Externally-Referenceable Control Sphere). This classification highlights a failure in the application's design where it allows external input—in this case, a URL protocol handler—to influence internal control structures. The MSDT is designed to help troubleshoot Windows issues, but the vulnerability lies in how the ms-msdt:// URI scheme processes arguments. When an external application passes a malformed or specially crafted URL to the MSDT handler, it bypasses traditional security boundaries, leading to Remote Code Execution (RCE).
Unlike traditional Office-based attacks that rely on VBA macros, this attack vector leverages the HTML template feature of Office documents to fetch a remote file which then invokes the MSDT tool. This makes the attack surface significantly broader, as the protection provided by "Disable Macros" settings is ineffective against this specific chain.
The Attack Chain: From Document to Code Execution
The technical execution of the CVE-2022-30190 attack is uniquely sophisticated yet simple for attackers to deploy. It typically begins with a malicious Microsoft Office document (.docx or .rtf). The document contains a relationship (rels) file that points to an external HTML resource hosted on an attacker-controlled server.
When the user opens the document, the calling application (e.g., Word) automatically fetches the remote HTML file. This HTML file contains a script block that invokes the ms-msdt: protocol handler. By appending specific parameters to the protocol command, the attacker can force MSDT to execute PowerShell commands or other arbitrary code. Because the execution happens via the diagnostic tool, it inherits the security context and privileges of the calling application, allowing for the installation of programs, data manipulation, or the creation of new administrative accounts.
EPSS and Exploitation Analysis
With an EPSS score of 0.93596, this vulnerability ranks in the top 0.2% of all known vulnerabilities regarding the likelihood of exploitation. The SSVC status of "Active" exploitation confirms that threat actors, including ransomware groups, are actively utilizing this flaw. The blast radius is total within the context of the user's rights, meaning a compromise of a standard user account can quickly lead to lateral movement and full domain escalation if combined with other local privilege escalation flaws.
Who Is Affected: Impacts and Compliance Requirements
The impact of CVE-2022-30190 spans nearly all modern Windows environments. Affected versions range from legacy Windows 7 and 8.1 systems to various releases of Windows 10 and Windows Server. Organizations utilizing Microsoft Office are at the highest risk, as the application serves as the primary vector for delivering the malicious payload.
From a compliance standpoint, CISA (Cybersecurity and Infrastructure Security Agency) included this CVE in BOD 22-01, mandating a remediation deadline of 2022-07-05. Federal agencies and organizations adhering to CISA guidelines must ensure that all systems are updated or that the MSDT protocol handler is disabled to remain in compliance. Failure to address this vulnerability exposes the organization to documented ransomware threats, which have been observed using Follina to establish initial access.
Official Remediation Steps
To secure your environment against CVE-2022-30190, follow these prioritized remediation steps:
Apply Official Microsoft Updates: The primary defense is the installation of security updates released by Microsoft. Navigate to the MSRC Update Guide to find the specific KB article for your Windows version.
Disable MSDT URL Protocol Handler: If the patch cannot be applied immediately, the protocol handler can be disabled via the registry to mitigate the attack vector. Execute the following command in an administrative Command Prompt to back up and remove the key:
reg export HKEY_CLASSES_ROOT\ms-msdt filename
reg delete HKEY_CLASSES_ROOT\ms-msdt /f
Monitor for Suspicious Child Processes: Configure endpoint detection and response (EDR) tools to monitor for msdt.exe being spawned as a child process of winword.exe, excel.exe, or outlook.exe.
Verify GPO Settings: Ensure that the "Microsoft Support Diagnostic Tool: Allow providers to upload specialized diagnostics to Microsoft Support" policy is configured correctly if your environment requires MSDT for legitimate support scenarios.
Security Best Practices for Protocol Handlers
Addressing the root cause of CVE-2022-30190 involves better management of URI handlers and calling applications:
Attack Surface Reduction (ASR): Implement ASR rules in Microsoft Defender to block all Office applications from creating child processes.
Restrict Protocol Handlers: Audit and restrict the use of non-standard URL protocol handlers (ms-msdt:, search-ms:, etc.) that are not essential for business operations.
Least Privilege Architecture: Ensure that users do not operate with local administrative rights, limiting the "blast radius" if an RCE vulnerability like Follina is triggered.
Enhanced Email Filtering: Use advanced threat protection for email to scan for documents with external web references or uncommon relationship links.
Patch Management Lifecycle: Maintain a strict 30-day patch cycle for high-severity vulnerabilities to align with SSVC and CISA recommendations.
Network Segmentation: Limit the ability of workstations to reach unknown external IP addresses, which can prevent the initial fetch of the malicious HTML template required for this attack.