Skip to content
feed: live about
>_ 0dayNews
microsoft
Explainer

Follina Explained: The MSDT Bug That Skipped the Macro Warning Entirely

CVE-2022-30190 let a Word document trigger arbitrary code execution through the Windows Support Diagnostic Tool — no macros, and in some configurations no explicit click required beyond opening the file.

Follina Explained: The MSDT Bug That Skipped the Macro Warning Entirely
Photo: Jakub Żerdzicki / Unsplash · Unsplash License
0day News Desk · Published · 1 min read

CVE-2022-30190 — known widely by the nickname “Follina” — followed a familiar 2021-2022 pattern almost exactly: a document-based zero-day that bypassed the macro-security defenses organizations had spent years building, exploited in the wild before anyone outside the attacker’s circle knew it existed.

What the vulnerability does

The bug sits in the Windows Support Diagnostic Tool (MSDT), a legitimate Windows troubleshooting utility. A Word document referencing a remote HTML template could invoke the ms-msdt: URI protocol handler, using it to run arbitrary PowerShell commands — triggered simply by opening the document, and in certain Office configurations even by the document preview pane, without the user clicking anything further.

How it was discovered

Independent researchers first drew widespread public attention to the technique on May 27, 2022, after spotting a malicious Word document in the wild that used it — a sample apparently already being used operationally before the security research community identified the pattern. Microsoft confirmed and formally disclosed the vulnerability on May 30, 2022, along with confirmation of active exploitation.

Why it mattered

Like CVE-2021-40444 the year before, Follina’s exploitation path didn’t require macros — meaning years of “disable macros from the internet” security awareness training didn’t protect against it. The technique was fast to weaponize and easy to replicate once public, and was adopted broadly by both espionage-motivated and financially motivated threat actors within days of the initial public report, well before Microsoft’s official patch shipped in its June 2022 Patch Tuesday release.

What administrators should do

Microsoft’s interim guidance — disabling the MSDT URL protocol handler via a documented registry change — was published before the full patch and gave defenders an emergency stopgap. CISA added the CVE to its KEV catalog. Full technical detail and remediation guidance are in Microsoft’s security advisory and the NVD entry.

This article describes the vulnerability’s impact and official mitigation guidance only — it does not include exploit code or step-by-step attack instructions.

Found this useful? Share it.