ThreatLevelBeta
Planned Fix

CVE-2022-30190

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability
Loading...

Summary

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run code with the privileges of the calling application.

Why Planned Fix?

4/6
No authentication required
Internal deployment
User interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
RCE (Remote Code Execution)
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
Yes
github.com
Impact

Execute arbitrary code with the privileges of the calling application.

RCE (Remote Code Execution)
Exploitation Requirements

None — vulnerable in default configuration

Exploitation Process

An attacker sends a crafted Office document or RTF file that references an external HTML resource. When the victim opens the file, or in some variants merely previews it, the document loads attacker-controlled content that redirects to an ms-msdt: URI with malicious parameters. MSDT processes the URI and launches the embedded command, which can start a payload such as PowerShell or another program.

Detection Resources
Manual Detection
blog.qualys.com
1
Script Detection
gist.github.com
1
Scanner Detection
Tenable NessusQualysRapid7 InsightVM
3

Affected Software

Vendor:Microsoft
ProductAffected Versions
Microsoft Support Diagnostic Tool (MSDT)all supported Windows versions
Description

Built-in Windows troubleshooting utility that collects diagnostic data and launches support troubleshooters through the ms-msdt URL handler.

Deployment:Typically internal
|
Protocol:MSDT URL protocol
|
Ports:
Affected ComponentMSDT URL protocol handler used to launch troubleshooting flows from calling applications such as Microsoft Word.

MSDT URL protocol handler used to launch troubleshooting flows from calling applications such as Microsoft Word.

Affected Endpoints(2)ms-msdt:/, ms-msdt:/id PCWDiagnostic…
1.ms-msdt:/
2.ms-msdt:/id PCWDiagnostic
Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround
Disable the MSDT URL protocol by deleting HKEY_CLASSES_ROOT\ms-msdt; this blocks ms-msdt links but also disables click-to-launch Windows troubleshooters.

Disable the MSDT URL protocol by deleting HKEY_CLASSES_ROOT\ms-msdt; this blocks ms-msdt links but also disables click-to-launch Windows troubleshooters.

www.microsoft.com
Patch

Not available

Update
Install Microsoft’s June 14, 2022 Windows security updates; for Windows 8.1, Server 2012 R2, Server 2012, and Server 2008 SP2 use KB5015805, and keep later cumulative updates applied.

Install Microsoft’s June 14, 2022 Windows security updates; for Windows 8.1, Server 2012 R2, Server 2012, and Server 2008 SP2 use KB5015805, and keep later cumulative updates applied.

msrc.microsoft.com
Threat Intelligence
EPSS Score93.5%

Probability of exploitation in the next 30 days

EPSS Percentile100%

Worse than 100% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
cloud.google.com
Threat Actors3
UNC3658

suspected China-linked cluster targeting the Philippine government

UNC3347

suspected China-linked cluster targeting telecommunications and business service providers in South Asia

UNC3819

suspected China-linked cluster targeting organizations in Belarus and Russia

Detection Rules3
KQL
DeviceProcessEvents | where FileName =~ "msdt.exe" and InitiatingProcessFileName in~ ("winword.exe","excel.exe","powerpnt.exe","outlook.exe")
KQL
DeviceProcessEvents | where FileName =~ "msdt.exe" and ProcessCommandLine has_any ("PCWDiagnostic","IT_BrowseForFile","IT_RebrowseForFile","ms-msdt:")
KQL
DeviceProcessEvents | where InitiatingProcessFileName =~ "msdt.exe" and FileName in~ ("powershell.exe","cmd.exe","wscript.exe")

NVD Data

Published: Loading...Modified: Loading...

Description Summary

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. Please see the MSRC Blog Entry for important information about steps you can take to protect your system from this vulnerability.

CVSS Base Score

7.8
High

CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:
|
NVD:CVE-2022-30190
|
Version From:
|
Version Upto:10.0.10240.19325, 10.0.14393.5192, 10.0.17763.3046, 10.0.19042.1766, 10.0.19043.1766, 10.0.19044.1766, 10.0.22000.739, 10.0.14393.5192, 10.0.17763.3046, 10.0.20348.770, 10.0.19042.1766

Affected Software (CPE) (17)

  • cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_10_20h2:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_10_21h1:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_20h2:*:*:*:*:*:*:*:*

Sources

10
SourceArticle
microsoft.comGuidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability
nvd.nist.govCVE-2022-30190 Detail
cisa.govKnown Exploited Vulnerabilities Catalog
cloud.google.comMove, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated Pace
unit42.paloaltonetworks.comThreat Brief: CVE-2022-30190 – MSDT Code Execution Vulnerability
blog.qualys.comDetect the Follina MSDT Vulnerability
tenable.comCVE-2022-30190: Zero Click Zero Day in MSDT Exploited in the Wild
discuss.rapid7.comCVE-2022-30190 - InsightVM
github.comPoC-CVE-2022-30190
gist.github.comIntune Proactive Remediation - CVE-2022-30190

Priority History

Planned FixLoading...

Initial analysis