Skip to content
feed: live about
>_ 0dayNews
CVE Record
[ HIGH ] CVE-2022-30190

Follina — Microsoft Windows Support Diagnostic Tool Remote Code Execution

A remote-code-execution vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) allows an attacker to execute arbitrary code when a malicious Office document is opened — triggered via a remote template reference that invokes MSDT through the ms-msdt URI scheme, without requiring macros.

cat cve-2022-30190.json
Vendor
Microsoft
Product
Windows Support Diagnostic Tool (MSDT)
CVSS
7.8
Status
kev
Published

CVE-2022-30190, nicknamed “Follina” by the researcher who first drew public attention to it, is a remote-code-execution vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT). It was publicly disclosed on May 30, 2022, days after independent researchers spotted an in-the-wild malicious Word document exploiting it — Microsoft confirmed active exploitation at disclosure.

Why it mattered

The exploit technique was notable for what it didn’t need: no macros, no user interaction beyond opening (or in some configurations even just previewing) a document. A Word file referencing a remote HTML template could invoke the ms-msdt: URI handler to run arbitrary PowerShell, sidestepping the macro-blocking defenses many organizations had spent years rolling out in response to earlier document-based malware campaigns.

Microsoft’s interim guidance — disabling the MSDT URL protocol handler via a registry change — was published before the full patch and was widely adopted as an emergency stopgap. The bug was added to the KEV catalog. Full mitigation and patch guidance is in Microsoft’s security advisory and at the NVD link above.