CVE-2022-35743 Overview
CVE-2022-35743 is a remote code execution vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT). This vulnerability allows an attacker to execute arbitrary code on affected Windows systems by exploiting weaknesses in how MSDT processes certain inputs. The vulnerability has been classified as CWE-94 (Improper Control of Generation of Code, or 'Code Injection'), indicating that the flaw enables attackers to inject and execute malicious code within the context of the vulnerable application.
MSDT is a built-in Windows utility designed to collect diagnostic information and assist with troubleshooting. Due to its trusted position within the operating system and its ability to execute with elevated privileges, vulnerabilities in this component pose significant security risks to enterprise and consumer environments alike.
Critical Impact
Successful exploitation allows attackers to execute arbitrary code with the privileges of the current user, potentially leading to complete system compromise across a wide range of Windows versions including Windows 7 through Windows 11 and Windows Server 2008 through 2022.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 20H2, 21H1, 21H2)
- Microsoft Windows 11 21H2
- Microsoft Windows 7 SP1, Windows 8.1, Windows RT 8.1
- Microsoft Windows Server 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, 2022, 20H2
Discovery Timeline
- May 31, 2023 - CVE-2022-35743 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-35743
Vulnerability Analysis
This vulnerability exists within the Microsoft Windows Support Diagnostic Tool (MSDT), a system component responsible for diagnostic data collection and troubleshooting assistance. The flaw is categorized as a code injection vulnerability (CWE-94), which means the application fails to properly neutralize or validate input that is used to dynamically construct code.
The exploitation requires local access to the target system and user interaction, making it a targeted attack vector. When successfully exploited, an attacker can achieve high impact on confidentiality, integrity, and availability of the affected system. The vulnerability does not require prior authentication or special privileges to exploit, though user interaction is necessary to trigger the malicious payload.
This vulnerability is part of a broader class of MSDT security issues that have been discovered, similar to the well-known "Follina" vulnerability (CVE-2022-30190), though each has distinct exploitation characteristics.
Root Cause
The root cause of CVE-2022-35743 lies in improper input validation within the MSDT component. The diagnostic tool fails to adequately sanitize or validate certain input parameters before processing them, allowing specially crafted input to be interpreted as executable code. This code injection flaw (CWE-94) enables attackers to bypass normal security controls and execute arbitrary commands within the security context of the MSDT process.
Attack Vector
The attack requires local access and user interaction to succeed. A typical attack scenario involves:
- An attacker crafts a malicious file or payload that exploits the MSDT vulnerability
- The attacker delivers this payload to the victim through social engineering, such as a malicious document or link
- When the victim opens or interacts with the malicious content, MSDT processes the crafted input
- The vulnerability allows the attacker's code to execute with the privileges of the current user
Since the vulnerability requires user interaction, attackers commonly leverage phishing emails, malicious documents, or compromised websites to deliver the exploit payload. The local attack vector combined with no privilege requirements makes this vulnerability particularly attractive for initial access operations.
Detection Methods for CVE-2022-35743
Indicators of Compromise
- Unusual msdt.exe process execution with suspicious command-line arguments or parameters
- Unexpected child processes spawned by msdt.exe, particularly command interpreters like cmd.exe or powershell.exe
- Network connections initiated by MSDT or its child processes to unknown external IP addresses
- Suspicious Office documents or files that attempt to invoke MSDT protocol handlers
Detection Strategies
- Monitor Windows Event Logs for unexpected MSDT invocations, particularly Event ID 4688 (Process Creation) with msdt.exe as the process name
- Deploy endpoint detection rules to identify suspicious parent-child process relationships involving MSDT
- Implement network monitoring to detect anomalous outbound connections following MSDT execution
- Use file integrity monitoring to detect modifications to MSDT-related system files
Monitoring Recommendations
- Enable enhanced PowerShell and command-line logging to capture detailed execution arguments
- Configure security information and event management (SIEM) alerts for MSDT-related events
- Implement behavioral analysis to detect code injection patterns associated with diagnostic tool abuse
- Review and baseline normal MSDT usage patterns to identify anomalous activity
How to Mitigate CVE-2022-35743
Immediate Actions Required
- Apply the latest Microsoft security updates addressing CVE-2022-35743 immediately
- Review and audit systems for indicators of compromise related to MSDT exploitation
- Implement application control policies to restrict unauthorized MSDT usage where possible
- Educate users about the risks of opening untrusted documents or clicking suspicious links
Patch Information
Microsoft has released security updates to address this vulnerability. Organizations should consult the Microsoft Security Update Guide for CVE-2022-35743 for detailed patch information and download links specific to their Windows versions. Patches should be applied through Windows Update, Windows Server Update Services (WSUS), or Microsoft Endpoint Configuration Manager based on organizational deployment practices.
Workarounds
- Disable the MSDT URL protocol handler by removing the HKEY_CLASSES_ROOT\ms-msdt registry key (backup first: reg export HKEY_CLASSES_ROOT\ms-msdt filename)
- Implement application whitelisting to prevent unauthorized execution of MSDT
- Use attack surface reduction (ASR) rules in Microsoft Defender to block Office applications from creating child processes
- Restrict network access from MSDT processes through host-based firewall rules
# Registry-based workaround to disable MSDT URL protocol
# Backup the registry key first
reg export HKEY_CLASSES_ROOT\ms-msdt msdt-backup.reg
# Delete the MSDT URL protocol handler
reg delete HKEY_CLASSES_ROOT\ms-msdt /f
# To restore (if needed after patching):
# reg import msdt-backup.reg
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
