CVE-2022-30190

CVE-2022-30190 is a high-severity vulnerability in Microsoft Windows 10 1507 with a CVSS 3.x base score of 7.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-06-14).

Key facts

Description

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. Please see the MSRC Blog Entry for important information about steps you can take to protect your system from this vulnerability.

CVE-2022-30190: Microsoft Support Diagnostic Tool (MSDT) Remote Code Execution (Follina)

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2022-30190
CVSS v2 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS v3.1 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
EPSS 0.99374 (99.93rd percentile)
KEV Yes (added 2022-06-14)
CWE Unknown (not specified in source data)

Summary

A remote code execution vulnerability exists when the Microsoft Support Diagnostic Tool (MSDT) is called using the URL protocol from a calling application such as Microsoft Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application, potentially installing programs, viewing or modifying data, or creating new accounts.

Background

Microsoft Support Diagnostic Tool (MSDT) is a legitimate Windows utility designed to collect diagnostic information and send it to Microsoft support. The tool can be invoked via the ms-msdt: URL protocol handler, which is registered in Windows. Applications such as Microsoft Word can embed or trigger this protocol handler, for example through HTML content in documents. CVE-2022-30190, also known as "Follina," leverages this mechanism to achieve code execution without traditional macro-based execution.

Root Cause

The root cause of this vulnerability lies in the unsafe handling of the ms-msdt: URI scheme by the Microsoft Support Diagnostic Tool. When a calling application invokes this protocol, MSDT processes arbitrary commands without adequate sandboxing or validation. The specific CWE classification is not publicly assigned in the available data, but the underlying weakness aligns with improper neutralization of special elements or insufficient input validation.

Impact

  • Confidentiality Impact: Complete (HIGH in CVSS v3.1) — an attacker can read sensitive data.
  • Integrity Impact: Complete (HIGH in CVSS v3.1) — an attacker can modify or delete data.
  • Availability Impact: Complete (HIGH in CVSS v3.1) — an attacker can disrupt system operations.
  • Scope: Unchanged — the vulnerable component does not impact resources beyond its security scope.
  • User Interaction: Required — the victim must interact with a malicious document (e.g., open a file).

The CVSS v2 score of 9.3 reflects network accessibility with medium complexity, while the CVSS v3.1 score of 7.8 localizes the attack vector to the endpoint once the user is tricked into interaction.

Exploitation Walkthrough

Ethics Caveat: This section is provided for defensive awareness only. The following describes the general attack flow at a high level; no weaponized exploit code is included.

  1. Delivery: An attacker sends a malicious document (e.g., a Word file) or crafts a webpage containing an embedded ms-msdt: URI.
  2. Invocation: When the victim opens the document or interacts with the content, the calling application invokes the MSDT URL protocol.
  3. Command Execution: MSDT processes the payload, which can include arbitrary commands or PowerShell execution, running with the privileges of the calling application (typically the logged-in user).
  4. Post-Exploitation: With code execution achieved, the attacker may proceed with lateral movement, persistence, or data exfiltration.

Defenders should focus on detecting suspicious ms-msdt: invocations and blocking unknown documents at the email gateway.

Affected and Patched Versions

Affected Products:

  • Microsoft Windows 10 (versions 1507, 1607, 1809, 20H2, 21H1, 21H2)
  • Microsoft Windows 11 (version 21H2)
  • Microsoft Windows 7 SP1
  • Microsoft Windows 8.1
  • Microsoft Windows RT 8.1
  • Microsoft Windows Server 2008 R2 SP1
  • Microsoft Windows Server 2012 and 2012 R2
  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2019
  • Microsoft Windows Server 2022
  • Microsoft Windows Server 20H2

Patched Versions: Specific patch information is not provided in the available data. Microsoft released security updates in June 2022; refer to the Microsoft Security Response Center for the latest patch guidance.

Remediation

  1. Apply Security Updates: Install the June 2022 (or later) Windows cumulative updates from Microsoft.
  2. Disable MSDT URL Protocol: As a compensating control, unregister the ms-msdt: handler if the tool is not required in your environment. This can be done via registry modification (backup the registry key first).
  3. Disable Office Active Content: Block external content in Office applications and disable ActiveX/embedded objects where not needed.
  4. Email and Web Gateway Filtering: Block or sandbox Office documents from untrusted sources.
  5. Least Privilege: Ensure users operate with standard privileges, not administrative rights, to limit the impact of successful exploitation.

Detection

  • Process Monitoring: Alert on msdt.exe being spawned by Office applications (e.g., winword.exe) or by browsers.
  • Command Line Inspection: Monitor for unusual command-line arguments passed to msdt.exe.
  • Registry Monitoring: Detect changes to the ms-msdt: URL protocol handler.
  • Network Signatures: Look for unexpected outbound connections initiated by msdt.exe.
  • Endpoint Detection and Response (EDR): Use EDR tools to correlate document open events with child process creation.

Assessment

This vulnerability carries an EPSS score of 0.99374 (99.93rd percentile), indicating near-certain exploitation in the wild. It was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on 2022-06-14, confirming active exploitation. The high CVSS v2 score (9.3) and the "Follina" moniker reflect the severity and widespread attention this flaw received.

Key Lessons:

  1. Protocol handlers are a high-value attack surface. URL schemes registered in the operating system can bridge trusted applications (e.g., Word) to system utilities, creating unexpected code execution paths.
  2. Document-based attacks remain prevalent. User interaction is required, but social engineering and email-based delivery make this a realistic and dangerous vector.

References

Frequently asked questions

What is CVE-2022-30190?
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. Please see the MSRC Blog Entry for important information about steps you can take to protect your system from this vulnerability.
How severe is CVE-2022-30190?
CVE-2022-30190 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2022-30190 being actively exploited?
Yes. CVE-2022-30190 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-06-14, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2022-30190?
CVE-2022-30190 primarily affects Microsoft Windows 10 1507. In total, 17 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2022-30190?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2022-30190 have an EU (EUVD) identifier?
Yes. CVE-2022-30190 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-35396. It is also flagged as exploited in the EUVD (since 2022-06-14).
When was CVE-2022-30190 published?
CVE-2022-30190 was published on 2022-06-01 and last updated on 2026-06-17.

References

Affected products (17)

More vulnerabilities in Microsoft Windows 10 1507

All CVEs affecting Microsoft Windows 10 1507 →