Follina — Microsoft Windows Support Diagnostic Tool Remote Code Execution
A remote-code-execution vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) allows an attacker to execute arbitrary code when a malicious Office document is opened — triggered via a remote template reference that invokes MSDT through the ms-msdt URI scheme, without requiring macros.
- Vendor
- Microsoft
- Product
- Windows Support Diagnostic Tool (MSDT)
- CVSS
- 7.8
- Status
- kev
- Published
CVE-2022-30190, nicknamed “Follina” by the researcher who first drew public attention to it, is a remote-code-execution vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT). It was publicly disclosed on May 30, 2022, days after independent researchers spotted an in-the-wild malicious Word document exploiting it — Microsoft confirmed active exploitation at disclosure.
Why it mattered
The exploit technique was notable for what it didn’t need: no macros, no user interaction beyond opening (or in some configurations even just previewing) a document. A Word file referencing a remote HTML template could invoke the ms-msdt: URI handler to run arbitrary PowerShell, sidestepping the macro-blocking defenses many organizations had spent years rolling out in response to earlier document-based malware campaigns.
Microsoft’s interim guidance — disabling the MSDT URL protocol handler via a registry change — was published before the full patch and was widely adopted as an emergency stopgap. The bug was added to the KEV catalog. Full mitigation and patch guidance is in Microsoft’s security advisory and at the NVD link above.
