⚠ Actively exploited in ransomware campaigns

This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-07-05.

CVE-2022-30190

CWE-61046 documents24 sources

Severity

7.8HIGH

EPSS

93.6%

top 0.17%

CISA KEV

KEVRansomware

Added 2022-06-14

Due 2022-07-05

Exploit

Exploited in wild

Active exploitation observed

Affected products

Microsoft Windows 10 Version 1507 Microsoft Windows 10 Version 1607 Microsoft Windows 10 Version 1809 +28 more

Timeline

PublishedJun 1

KEV addedJun 14

KEV dueJul 5

Latest updateJan 27

CISA Required Action: Apply updates per vendor instructions.

Description

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. Please see the MSRC Blog Entry for important information about steps you can take to protect your system …

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages30 packages

▶CVEListV5microsoft/windows_server_2012_(server_core_installation)6.2.9200.0 — 6.2.9200.23736

▶CVEListV5microsoft/windows_server_2016_(server_core_installation)10.0.14393.0 — 10.0.14393.5192

▶CVEListV5microsoft/windows_server_2019_(server_core_installation)10.0.17763.0 — 10.0.17763.3046

▶CVEListV5microsoft/windows_server_2012_r2_(server_core_installation)6.3.9600.0 — 6.3.9600.20402

▶CVEListV5microsoft/windows_server_2008_r2_service_pack_1_(server_core_installation)6.1.7601.0 — 6.1.7601.25984

Patches

Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-4r9q-wqcj-x85j: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability↗2022-06-02

▶

CVEList

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability↗2022-06-01

▶

Project0

2022 0-day In-the-Wild Exploitation…so far - Project Zero↗2022-06-01

▶

VulnCheck

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability↗2022

▶

🔍Detection Rules

Suricata

ET HUNTING Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution 0-click RTF (CVE-2022-30190)↗2025-01-27

▶

Suricata

ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190)↗2022-05-31

▶

Sigma

Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE↗

▶

Sigma

Potential Arbitrary Command Execution Using Msdt.EXE↗

▶

Sigma

Suspicious Cabinet File Execution Via Msdt.EXE↗

▶

📋Vendor Advisories

CISA

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability↗2022-06-14

▶

Microsoft

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability↗2022-05-10

▶

🕵️Threat Intelligence

Elastic

Vulnerability summary: Follina, CVE-2022-30190 — Elastic Security Labs↗2023-01-19

▶

Elastic

Vulnerability summary: Follina, CVE-2022-30190 — Elastic Security Labs↗2023-01-19

▶

Trendmicro

Where is the Origin QAKBOT Uses Valid Code Signing↗2022-10-27

▶

Fortinet

From Follina to Rozena - Leveraging Discord to Distribute a Backdoor | FortiGuard Labs↗2022-07-06

▶

Krebs

Microsoft Patch Tuesday, June 2022 Edition↗2022-06-15

▶

📄Research Papers

CTF

Outdated / README↗

▶

💬Community

HackerOne

Unrestricted File Upload on reddit.secure.force.com↗2022-09-30

▶