Technical Advisory: CVE-2022-30190 Zero-day Vulnerability “Follina” in Microsoft Support Diagnostic Tool

Quick Overview by Bitdefender

On Monday, May 30, 2022, Microsoft issued CVE-2022-30190, a zero-day remote code execution (RCE) vulnerability in the Microsoft Support Diagnostic Tool (MSDT). The first detections in the wild indicate that this vulnerability is triggered remotely from Microsoft Office documents. 

This is a critical issue as cybercriminals often choose Office documents as a popular tactic to infect victims with their malicious content. This vulnerability (referred to as “Follina”) only requires users to open a single document and no further interactions are necessary before the system is compromised. The end-user doesn’t even need to open the document in certain situations (document with RTF extension and the preview pane enabled). 

A CVE has been assigned by Microsoft, but there is no patch available as of May 31st, 2022. This is a critical issue, as it is not mitigated by disabling macros and Protected View offers only limited protection. 

It is important to note that this vulnerability is related to the Microsoft Support Diagnostic Tool (MSDT), not necessarily to Microsoft Office. Office has been used to weaponize this vulnerability in the wild, but it is not needed to trigger this vulnerability. There are also other methods to trigger this vulnerability. There are effectively two vulnerabilities: 1) Microsoft Office template injection trusting the MS-MSDT protocol and 2) the MS-MSDT protocol allowing malicious code execution.

All MspPortal Partners receive notices ASAP on security news


Roy Miehe | MspPortal Partners Inc. | Ceo/President

Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient

“Where Service and Technical Skills Count”