CVE-2022-30190 — Follina MSDT Remote Code Execution in Microsoft Office
Technical analysis of CVE-2022-30190 (Follina), a Microsoft Office vulnerability that allows remote code execution by abusing the Microsoft Support Diagnostic Tool (MSDT).
CVE-2022-30190, widely known as Follina, is a vulnerability affecting Microsoft Office that allows attackers to execute arbitrary commands by abusing the Microsoft Support Diagnostic Tool (MSDT). The flaw can be triggered when a specially crafted Office document references an external resource that invokes the MSDT diagnostic protocol.
Unlike many document-based attacks, the exploit can be triggered without enabling macros. Simply opening or previewing a malicious document may be sufficient to trigger the vulnerability, making it particularly dangerous in environments where users commonly receive documents from external sources.
The vulnerability quickly became a favored technique in phishing campaigns and targeted intrusion operations.
Vulnerability Overview
| Field | Value |
|---|---|
| CVE | CVE-2022-30190 |
| Common Name | Follina |
| Severity | Critical |
| CVSS | 7.8 |
| Vendor | Microsoft |
| Product | Microsoft Office / MSDT |
| Vulnerability Type | Remote Code Execution |
| Attack Vector | Network |
| Exploitation Status | Known exploited in the wild |
| Disclosure Date | 2022-05-30 |
What the Vulnerability Allows
The vulnerability abuses the ms-msdt protocol handler, which allows Windows applications to invoke the Microsoft Support Diagnostic Tool.
Attackers craft malicious Office documents containing references to remote HTML resources. When the document is opened, Office retrieves the external resource, which triggers the MSDT handler.
This mechanism allows attackers to execute commands on the victim system.
Successful exploitation can allow attackers to:
- execute arbitrary commands
- install malware
- steal credentials
- establish persistence on the compromised system
Because the attack can occur through normal document handling behavior, it bypasses some common defenses used to block macro-based malware.
Why Follina Was Dangerous
Follina gained rapid attention because it allowed remote code execution without requiring users to enable macros.
This significantly lowered the barrier for successful phishing attacks. Attackers only needed victims to open or preview a malicious document.
The vulnerability also affected multiple Office versions and could be triggered using common file formats such as Word documents.
These characteristics made it particularly attractive for threat actors targeting enterprise environments.
Affected Systems
The vulnerability affected multiple Microsoft Office versions running on Windows systems.
| Product | Affected Versions | Fixed Versions |
|---|---|---|
| Microsoft Office | multiple supported versions prior to June 2022 security updates | patched in June 2022 security updates |
| Windows MSDT | affected when invoked through Office | patched in June 2022 updates |
Microsoft released security updates addressing the vulnerability in June 2022.
Exploitation in the Wild
Shortly after the vulnerability became public, multiple threat actors began incorporating the exploit into phishing campaigns.
Attackers distributed malicious Office documents designed to trigger the vulnerability and execute remote commands.
Security researchers observed the vulnerability being used to deploy malware loaders, remote access tools, and credential harvesting utilities.
Because the attack vector relied on document delivery, many campaigns used phishing emails to distribute malicious files.
Detection Considerations
Security teams investigating possible exploitation should analyze endpoint activity and document handling behavior.
Indicators of compromise may include:
- execution of MSDT processes triggered by Office applications
- unusual command execution spawned from Office processes
- suspicious network connections initiated by Office applications
- abnormal file activity following document opening
Monitoring platforms such as Security Information and Event Management systems and endpoint monitoring tools like Endpoint Detection and Response may help identify suspicious activity related to exploitation attempts.
Mitigation Guidance
Organizations should take the following defensive actions.
- apply Microsoft security updates addressing the vulnerability
- disable the MSDT URL protocol if not required
- monitor endpoint activity for suspicious command execution
- restrict Office applications from spawning child processes
- educate users about phishing attacks involving malicious documents
Reducing exposure to document-based exploits is particularly important for organizations handling large volumes of external email attachments.
Security Implications
Follina demonstrated how vulnerabilities within auxiliary Windows components can be leveraged through common applications such as Microsoft Office. Because the exploit bypassed macro security controls, it significantly increased the success rate of phishing attacks.
The incident highlights the importance of rapid patch deployment, strong endpoint monitoring, and layered security controls designed to detect malicious document activity within enterprise environments.