top of page

Mitigating the Follina Zero-Day Vulnerability

On May 27th, 2022, a new zero-day remote code execution (RCE) vulnerability was discovered in the Microsoft Support Diagnostic Tool (MSDT). This CVE-2022-30190P vulnerability allows an attacker to run arbitrary code with the same privileges as the application that is calling it. This means that the attacker could install programs, view or change data, delete data, or create new accounts on the system with full user rights.

The Follina vulnerability is a serious security flaw that can be exploited by attackers to execute arbitrary code on a victim's computer. This vulnerability leverages the built-in MS URL handlers to trigger msdt.exe – this process can then be used to execute PowerShell commands.

What is MSDT?

The Microsoft Support Diagnostic Tool (MSDT) is a troubleshooting and diagnostic tool that is built into the Windows operating system. MSDT can be used to invoke a troubleshooting pack at the command line or as part of an automated script, and it enables additional options without requiring user input. MSDT is designed to help identify and resolve technical issues with Microsoft products and services. In some cases, MSDT may also provide Microsoft support personnel with additional information about an issue.

To use MSDT, simply open the Windows Control Panel and click on “System and Security.” Then, click on “Diagnose Your Computer’s Problems.” From here, you will be able to select the type of issue you are experiencing and follow the prompts to resolve the issue.

What are URL Handlers?

When an application is installed on Windows, it can register a URL to launch the application with a custom link.

Windows has many default URL handlers for applications built into the operating system, including one for msdt.exe - ms-msdt:/.

How is CVE 2022-30190 being exploited?

Follina is a recently discovered malware that targets Microsoft Office products. The primary method of exploiting Follina is via phishing emails that contain malicious Office documents. These documents often contain links to external servers that host files with the ms-msdt:/ URL.

When opened, these files will infect the victim's computer with the Follina malware. Once infected, the victim's computer can be used to carry out Distributed Denial of Service (DDoS) attacks or to mine cryptocurrency. The consequences of a Follina infection can be serious, so it is important to be aware of this threat and take steps to protect yourself from it.

The Fix

Microsoft has released critical fixes for an actively exploited Windows zero-day vulnerability as part of its monthly Patch Tuesday security updates.

Also addressed by the tech giant are 55 other flaws, three of which are rated Critical, 51 are rated Important, and one is rated Moderate in severity. Separately, five other shortcomings were resolved in the Microsoft Edge browser.

As always, Microsoft recommends that users install the updates as soon as possible to keep their systems protected. The company also revealed that there are no known exploits actively targeting any of the vulnerabilities at this time.

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including -

  • Adobe

  • AMD

  • Android

  • Apache Projects

  • Atlassian Confluence Server and Data Center

  • Cisco

  • Citrix

  • Dell

  • GitLab

  • Google Chrome

  • HP

  • Intel

  • Lenovo

  • Linux distributions Debain, Oracle Linux, Red Hat, SUSE, and Ubuntu

  • MediaTek

  • Mozilla Firefox, Firefox ESR, and Thunderbird

  • Qualcomm

  • SAP

  • Schneider Electric

  • Siemens

  • VMware

34 views0 comments

Recent Posts

See All

Follina Vulnerability Information and Workaround

As of June 7, 2022, there is still no patch for this vulnerability. Please ensure that you are reasonably confident when you open MS documents. ----------------------------- The internet is abuzz wit

MS Office Vulnerability - Zero Day

May 31, 2022 Blog from At the time of this post, there are no patches or fixes. Malware loads itself from remote servers and bypasses Microsoft’s Defender AV scanner, according to repor


bottom of page