CVE-2022-30190 Overview
CVE-2022-30190, commonly referred to as "Follina," is a remote code execution vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT). The vulnerability exists when MSDT is called using the URL protocol from a calling application such as Microsoft Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights.
This vulnerability is particularly dangerous because it can be triggered through malicious Office documents without requiring macros to be enabled, bypassing a common security control that organizations rely upon.
Critical Impact
This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog and has been actively exploited in the wild. Attackers can achieve remote code execution by simply convincing a user to open a malicious document or preview it in Windows Explorer.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 20H2, 21H1, 21H2)
- Microsoft Windows 11 21H2
- Microsoft Windows 7 SP1
- Microsoft Windows 8.1 and Windows RT 8.1
- Microsoft Windows Server 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, 2022, and 20H2
Discovery Timeline
- 2022-06-01 - CVE-2022-30190 published to NVD
- 2025-10-30 - Last updated in NVD database
Technical Details for CVE-2022-30190
Vulnerability Analysis
CVE-2022-30190 exploits the ms-msdt: URL protocol handler registered on Windows systems. When a user opens a specially crafted document (typically a Microsoft Office document), the document can invoke the MSDT URL protocol to execute arbitrary PowerShell commands. The attack works by embedding a malicious link within the document that, when processed, calls MSDT with attacker-controlled parameters.
What makes this vulnerability particularly dangerous is that it can bypass Microsoft Office's Protected View in certain scenarios. If the document is converted to an RTF format, simply previewing the document in Windows Explorer can trigger the exploit without requiring the user to actually open it.
Root Cause
The root cause of this vulnerability lies in the improper handling of URL protocols by MSDT. The ms-msdt: protocol handler accepts parameters that can be crafted to execute arbitrary commands through the IT_BrowseForFile parameter. This parameter was designed to browse for files but can be manipulated to execute PowerShell commands or other system commands when specially formatted input is provided.
The vulnerability essentially allows command injection through the diagnostic tool's URL handling mechanism, where user-supplied input is not properly sanitized before being processed.
Attack Vector
The attack requires local user interaction—specifically, a user must open a malicious document or preview an RTF file containing the exploit. The typical attack flow involves:
- Attacker creates a malicious Office document containing an external OLE object reference
- The OLE object points to an attacker-controlled server hosting an HTML file
- The HTML file contains the ms-msdt: protocol payload with encoded PowerShell commands
- When the victim opens the document, Word fetches the external HTML and processes the MSDT URL
- MSDT executes the attacker's commands with the privileges of the current user
The exploit leverages the legitimate MSDT functionality in an unintended way. When triggered, the malicious payload typically uses Base64-encoded PowerShell commands to download and execute additional malware or perform reconnaissance on the target system.
For technical details on the exploitation mechanism, see the Microsoft Security Advisory and the Packet Storm Exploit Analysis.
Detection Methods for CVE-2022-30190
Indicators of Compromise
- Presence of msdt.exe processes spawned by Office applications (WINWORD.EXE, EXCEL.EXE, etc.)
- Network connections to external servers immediately following document opens
- PowerShell execution originating from msdt.exe process chains
- Suspicious command-line arguments containing IT_BrowseForFile or encoded PowerShell commands
- Office documents containing external OLE references to remote HTML files
Detection Strategies
- Monitor for process creation events where msdt.exe is spawned as a child of Office applications
- Implement YARA rules to detect documents containing ms-msdt: protocol references
- Configure EDR solutions to alert on sdiagnhost.exe executing PowerShell or cmd.exe
- Review network traffic for Office applications making connections to uncommon external domains
- Deploy SentinelOne behavioral AI to detect anomalous process chains indicative of Follina exploitation
Monitoring Recommendations
- Enable command-line logging (Windows Event ID 4688) and PowerShell script block logging
- Configure alerts for msdt.exe execution with suspicious command-line parameters
- Monitor for creation of scheduled tasks or services following document opens
- Implement network segmentation to limit the impact of successful exploitation
- Use SentinelOne's Deep Visibility to trace process lineage and identify exploitation attempts
How to Mitigate CVE-2022-30190
Immediate Actions Required
- Apply the official Microsoft security patches immediately for all affected Windows systems
- Disable the MSDT URL protocol as a temporary workaround if patches cannot be immediately applied
- Block outbound connections from Office applications at the network perimeter
- Deploy endpoint protection solutions capable of detecting Follina exploitation attempts
- Educate users about the risks of opening documents from untrusted sources
Patch Information
Microsoft has released security updates to address CVE-2022-30190 for all affected Windows versions. Organizations should apply patches through Windows Update, Windows Server Update Services (WSUS), or manually download from the Microsoft Update Catalog. Given this vulnerability's inclusion in CISA's Known Exploited Vulnerabilities catalog, federal agencies were required to address this vulnerability within mandated timeframes, and all organizations should prioritize remediation.
Workarounds
- Delete the ms-msdt registry key to disable the URL protocol handler
- Use Attack Surface Reduction (ASR) rules to block Office applications from creating child processes
- Implement application whitelisting to prevent unauthorized process execution
- Consider deploying Office documents through a sandbox environment for initial inspection
- Enable Protected View and configure Office to block external content by default
# Disable the MSDT URL Protocol (run as Administrator)
# First, backup the registry key
reg export HKEY_CLASSES_ROOT\ms-msdt ms-msdt-backup.reg
# Delete the MSDT URL protocol handler
reg delete HKEY_CLASSES_ROOT\ms-msdt /f
# To restore the protocol after patching:
# reg import ms-msdt-backup.reg
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
