CybrWolf

Menu

CVE-2022-30190 (Follina) — MSDT RCE in Windows (what to know now)

CVE-2022-30190 commonly referred to as Follina grabbed headlines in 2022 because attackers could execute code simply by getting a victim to open a Word document (no macro required). The chain uses Word’s remote template / HTML features to invoke the Windows MSDT handler (ms-msdt:), which in turn runs attacker-controlled commands. Although patches and workarounds exist, the vulnerability remains a useful case study.

Vulnerability Details

  • CVE ID: CVE-2022-30190
  • Common name: Follina
  • CWE: CWE-610
  • Affected product / component: Microsoft Windows Support Diagnostic Tool (MSDT); commonly triggered via Microsoft Office calls to the ms-msdt: URL handler. Note: the attack surface is MSDT/Windows; Office is the commonly used delivery vector.
  • Affected versions: All supported Windows client and server versions prior to the June/July 2022 updates (see vendor KBs for exact build lists).
  • CVSS v3.1: 7.8 (High)
  • Attack vector: Remote — via malicious Office documents or remote templates that call ms-msdt:
  • Privileges required: None (attacker can run code with the calling app’s privileges)
  • User interaction: Open (or preview) a crafted document or content that triggers a remote template fetch
  • Impact: Remote code execution — attackers can install malware, steal data, establish persistence, or move laterally

Exploitation path (simple flow)

  1. Attacker prepares a Word doc (or RTF) that uses Word’s remote template feature or embedded HTML.
  2. When the document is opened/previewed, Word fetches the remote template/HTML. That HTML contains a call to the ms-msdt: protocol handler.
  3. MSDT is invoked via the ms-msdt: URL and runs commands or scripts controlled by the attacker without requiring macros. The calling app’s privileges determine how far the attacker can go.

Why this worked: the chain abused how Office fetched external templates and how Windows handled the ms-msdt protocol, a classic multi-component chain where the piece that’s vulnerable is Windows’ diagnostic tool but the most visible trigger is Office.

Mitigation steps

  1. Apply vendor updates now. Microsoft shipped mitigations as part of the June 2022 updates and added a defense-in-depth fix in the July 12, 2022 cumulative updates, install those Windows updates per your patch cycle.
  2. If you can’t patch immediately — apply Microsoft/CISA workarounds: For example, unregister the ms-msdt protocol handler or remove the registry key HKEY_CLASSES_ROOT\ms-msdt. Use vendor guidance and test before rolling wide.
  3. Harden email/attachment handling: Block or strip remote template fetching at the gateway, block suspicious attachments, enable attachment sandboxing and URL protections.
  4. Endpoint detection & response (EDR): Ensure EDR/XDR rules detect ms-msdt invocation chains and unusual PowerShell/command activity spawned by Office. Vendors published detection signatures and telemetry guidance after the outbreak.
  5. Least privilege & monitoring: Run user workstations with limited privileges and monitor for unusual outbound fetches from Office apps to unknown endpoints.

Is Follina (CVE-2022-30190) still a threat in 2025?

Short answer: yes, to unpatched systems. The exploit is simple to reuse in phishing campaigns, and CISA added the CVE to its catalogs of known exploited vulnerabilities — which tells defenders this has been weaponized in real campaigns and should be prioritized. If your Windows estate is patched and layered with EDR + email hygiene, your exposure is minimal.

References & Attribution

NVD Entry for CVE-2025-36630 – National Vulnerability Database summary

https://nvd.nist.gov/vuln/detail/cve-2022-30190

MITRE CVE Program – Source of CVE metadata and classification
© 1999–2025 The MITRE Corporation. Licensed under the MITRE CVE Terms of Use.
https://www.cve.org/Legal/TermsOfUse

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190

CybrWolf takeaway

Follina wasn’t the fanciest exploit, it was effective because it chained everyday features in Office + Windows. The defensive lesson is classic: patch quickly, reduce remote-template exposure, and let EDR + email hygiene catch what slips through. If you haven’t scanned and patched for CVE-2022-30190 yet, make it a priority.

Subscribe to CybrWolf and stay ahead of threats.

Tagged ,