{ "id": "30fef47d-817d-4af2-b85b-bc1c16e9bd66", "created_at": "2026-04-06T00:22:25.780279Z", "updated_at": "2026-04-10T03:37:54.56728Z", "deleted_at": null, "sha1_hash": "ff5a02c1589800a3406edf149325d5b620acf5a2", "title": "CVE-2022-30190: Microsoft Support Diagnostic Tool (MSDT) RCE Vulnerability “Follina” | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 801581, "plain_text": "CVE-2022-30190: Microsoft Support Diagnostic Tool (MSDT)\r\nRCE Vulnerability “Follina” | FortiGuard Labs\r\nBy Shunichi Imano, James Slaughter, Fred Gutierrez, and FortiRecon Team\r\nPublished: 2022-06-01 · Archived: 2026-04-05 21:27:52 UTC\r\nAt the end of last week, @nao_sec, an independent cyber security research team, tweeted about a malicious\r\nMicrosoft Word document submitted from Belarus that leverages remote templates to execute a PowerShell\r\npayload using the \"ms-msdt\" MSProtocol URI scheme. Additional developments over the weekend identified the\r\nissue as a new unpatched vulnerability in Windows. A successful attack results in a remote, unauthenticated\r\nattacker taking control of an affected system. A publicly available Proof-of-Concept soon followed.\r\nThis issue is referred to as “Follina’ and has a CVE assignment of CVE-2022-30190.\r\nThe name of the vulnerability is credited to security researcher Kevin Beaumont. \"Follina\" was derived from his\r\nanalysis of the 0-day that contained code referencing \"0438\", which is the area code of Follina, Italy. Most of the\r\ntime, it’s a bad sign when a vulnerability is crowned with a unique name (having a mind-shaking logo is usually\r\nthe last dagger – such as Heartbleed, Shellshock, and EternalBlue, but thankfully, this issue is not in the same\r\nleague as those.\r\nAs FortiGuard Labs is on high watch for updates and developments for CVE-2022-30190, this blog intends to\r\nraise awareness of this critical vulnerability and to urge administrators and various organizations to take quick\r\ncorrective action until Microsoft releases a patch.\r\nAffected platforms: Microsoft Windows\r\nImpacted parties: Microsoft Windows Users\r\nImpact: Full Control of Affected Machine\r\nSeverity level: Critical\r\nImpact Assessment\r\nThe first question you probably would ask is how bad this vulnerability is. CVE-2022-30190 is rated as CVSS 7.8\r\n(Critical), and there are a number of reasons for it.\r\nThis vulnerability is in the Microsoft Support Diagnostic Tool (MSDT), a tool from Microsoft that collects and\r\nsends system information back to Microsoft Support for problem diagnostics, such as issues with device drivers,\r\nhardware, etc. This tool is in all versions of Windows, including Windows Server OS. Because of the lack of an\r\navailable patch from Microsoft (as of June 1st, 2022), machines that are not protected by endpoint software or a\r\nmitigation strategy are vulnerable to Follina.\r\nAs proof-of-concept code is publicly available, this code can be freely used by security researchers,\r\nadministrators, and threat actors alike. As such, attacks that leverage CVE-2022-30190 are expected to increase\r\nhttps://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day\r\nPage 1 of 11\n\nover the next few days and weeks.\r\nProtected View, a feature in Microsoft Office that opens Office documents in read-only mode with macros and\r\nother content disabled, can prevent this attack. However, reports from researchers have revealed that if a document\r\nis converted to Rich Text Format (RTF) format, simply previewing the document in Windows Explorer can trigger\r\nthe exploit, bypassing Protected View. At the time of writing, Microsoft’s latest advisory has not confirmed this\r\nnor whether this is another exploitation vector.\r\nOn a side note, despite using “remote” in the vulnerability name, the attack happens locally, and user interaction is\r\nrequired for the attack to work. Microsoft’s advisory calls out this point: “The word Remote in the title refers to\r\nthe location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The\r\nattack itself is carried out locally.”\r\nAdditionally, the vulnerability has already experienced in-the-wild attacks. As shown in the timeline at the end of\r\nthis blog (see Timeline), a series of initial attacks were reportedly observed in March 2022, targeting the\r\nPhilippines, Nepal, and India. Additional files were submitted to VirusTotal from Russia and Belarus. Those\r\nattacks were most likely targeted attacks as the domains involved reveal little activity in our telemetry.\r\nDue to the severity of the vulnerability, the United States Cybersecurity \u0026 Infrastructure Security Agency (CISA)\r\nissued an advisory on May 31st, urging users and administrators to apply necessary workarounds as soon as\r\npossible.\r\nExploit\r\nThe vulnerability that exists within msdt.exe is the Microsoft Support Diagnostic Tool. Normally, this tool is used\r\nto diagnose faults with the operating system and then report and provide system details back to Microsoft Support.\r\nhttps://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day\r\nPage 2 of 11\n\nFigure 1. The Microsoft Support Diagnostic Tool as is meant to be seen.\r\nThe vulnerability allows a malicious actor to effectively execute arbitrary code with the same privileges as the\r\napplication calling it. As has been the case with the original reporting of this from @nao_sec and subsequent\r\nexperimentation in the wider security community, the calling application is quite often a tool in Microsoft Office\r\n(Word, Excel, Outlook, etc.).\r\nThe original document and subsequent HTML file can be found here and here.\r\nFigure 2. Original OLE object showing the download location of the subsequent HTML file.\r\nAs shown in Figure 2, the document found by @nao_sec used an embedded OLE Object inside a Word document\r\nthat was modified to call an external website to download an HTML document. This document then invoked\r\nmsdt.exe, followed by several PowerShell commands.\r\nhttps://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day\r\nPage 3 of 11\n\nFigure 3. HTML file invoking MSDT.\r\nFigure 3 shows the original HTML payload, which required several lines with the letter 'A' (61) to be commented\r\nout of the script in order to execute. MSDT was then invoked using character and Base64 encoding to obfuscate\r\nthe actual command.\r\nFigure 4. Decoded command.\r\nMany further examples have been uploaded to VirusTotal that invoke Calc and other benign Windows tools as a\r\nmethod to test the vulnerability without causing damage.\r\nActive Exploitation\r\nThe TA413 APT group, a hacking outfit linked to Chinese state interests, has adopted this vulnerability in attacks\r\nagainst the international Tibetan community. As observed on May 30 by security researchers, threat actors are now\r\nusing CVE-2022-30190 exploits to execute malicious code via the MSDT protocol when targets open or preview\r\nWord documents delivered in ZIP archives. Campaigns have impersonated the 'Women Empowerments Desk' of\r\nthe Central Tibetan Administration and use the domain tibet-gov.web[.]app.\r\nThe security researchers also spotted DOCX documents with Chinese filenames being used to install malicious\r\npayloads detected as password-stealing Trojans via \"hxxp://coolrat[.]xyz\".\r\nAt the time of writing, researchers have discovered limited exploitation of the vulnerability in the wild. One\r\ninstance of active exploitation of 'Follina' was conducted by Chinese APT actor 'TA413'.\r\nAttack Vector\r\nAt the time of this writing, all known attacks used Microsoft Word document files that were most likely delivered\r\nvia email. Theoretically, any applications that allow an OLE object to be embedded would be a viable execution\r\nmechanism.\r\nhttps://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day\r\nPage 4 of 11\n\nIn the Wild Attack\r\nOne of the real-world attacks that leverage CVE-2022-30190 is a Microsoft Word file submitted to VirusTotal\r\nfrom Saudi Arabia on June 1st (SHA2:\r\n248296cf75065c7db51a793816d388ad589127c40fddef276e622a160727ca29), which MalwareHunterTeam posted\r\nin a tweet:\r\nFigure 5. Malicious Word file that was used in an attack leveraging CVE-2022-30190.\r\nThe doc file retrieves an HTML file from 212[.]138[.]130[.]8/analysis.html, which abuses MSDT to fetch the next\r\nstage payload “svchost.exe” from a remote location and then execute it.\r\nFigure 6. Contents of retrieved analysis.html\r\nPayload Analysis\r\nhttps://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day\r\nPage 5 of 11\n\nThe Saudi Arabian DOCX document eventually leads to the download and execution of an executable. This\r\nexecutable (SHA256: 4DDA59B51D51F18C9071EB07A730AC4548E36E0D14DBF00E886FC155E705EEEF)\r\nis a variant of Turian, which was analyzed by ESET\r\n(https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/)  almost a year ago.\r\nThis current variant uses the same one-byte XOR key (0xA9) as the previously analyzed Turian sample. \r\nFigure 7. XOR key 0xA9 used for decryption\r\nThis sample also has the functionality to try and determine what role the infected computer plays in the domain.\r\nhttps://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day\r\nPage 6 of 11\n\nFigure 8. Functionality to determine domain role\r\nSimilar to the old Turian sample, this variant uses the same headers to connect to the C2 server.\r\nFigure 9. Connection headers\r\nThis sample creates “tmp.bat”, which is used to set RUN keys in the registry for persistence purposes.\r\nFigure 10. Content of the”tmp.bat” file\r\nNote the mixed usage of upper and lowercase letters, which is the same as the old Turian sample.\r\nThis latest variant uses www[.]osendata[.] com as its C2 server.\r\nAnother Turian sample similar to this latest variant has a SHA256 hash of \r\n34DC42F3F486EC282C5E3A16D81A377C2F642D87994AE103742DF5ED5804D0F7 and a C2 server of\r\nwww[.]tripinindian[.]com.\r\nMitigation\r\nMicrosoft has provided the following mitigation steps in a blog posted on May 30th, 2022.\r\nhttps://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day\r\nPage 7 of 11\n\nCISA also urged admins and users to disable the MSDT protocol on their Windows devices after Microsoft\r\nreported active exploitation of this vulnerability in the wild.\r\nDisabling the MSDT URL Protocol:\r\nDisabling the MSDT URL protocol prevents troubleshooters from being launched as links, including links\r\nthroughout the operating system. Troubleshooters can still be accessed using the Get Help application and in\r\nSystem Settings as other or additional troubleshooters. Follow these steps to disable:\r\n1. Run Command Prompt as Administrator.\r\n2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\\ms-msdt\r\nfilename“\r\n3. Execute the command “reg delete HKEY_CLASSES_ROOT\\ms-msdt /f”.\r\nFigure 11. ms-msdt in Registry Editor\r\nHow to undo the workaround\r\n1. Run Command Prompt as Administrator.\r\n2. To restore the registry key, execute the command “reg import filename”\r\nhttps://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day\r\nPage 8 of 11\n\nTimeline\r\nTimeline of CVE-2022-30190 based on information gathered by FortiGuard Labs: (updated June 2)\r\nYear Month/Date  Event\r\n2022\r\nApril 12th\r\ncrazyman_army with an APT hunting team “Shadow Chaser Group,” reported the\r\nvulnerability to Microsoft. The report was based on a Word document file that\r\nappears to have been used in a real attack targeting Russia.\r\nApril 21st Microsoft determined that it was not a security-related issue.\r\nMay 27th\r\nnao_sec, an independent cyber security research team, tweeted about a malicious\r\nMicrosoft Word document file submitted from Belarus that leverages remote\r\ntemplates to execute the PowerShell payload using the \"ms-msdt\" MSProtocol URI\r\nscheme.\r\nMay 30th\r\nKevin Beaumont, a security researcher known as GossiTheDog, posted a\r\nblog citing that this is an unpatched vulnerability.\r\nMicrosoft released an advisory and mitigation guidance.\r\nCVE-2022-30190 was assigned to the vulnerability.\r\nConclusion\r\nCVE-2022-30190 has the potential to have significant impact due to its ease of exploitation and ability to bypass\r\nProtected View, along with the availability of new PoC code and the lack of a security fix. Administrators and\r\nusers should monitor updates from Microsoft and apply the patch as soon as it becomes available. Until then,\r\nmitigation should be applied as soon as possible.\r\nFortinet Protection\r\nThe FortiGuard Antivirus service detects and blocks files associated with CVE-2022-30190 with the following\r\nsignatures:\r\nHTML/CVE_2022_30190.A!tr\r\nMSWord/Agent.2E52!tr.dldr\r\nMSWord/CVE20170199.A!exploit\r\nhttps://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day\r\nPage 9 of 11\n\nRiskware/RemoteShell.\r\nRegarding IPS coverage, the following signature will detect the retrieval of remote HTML files that contain the\r\nMSDT command:\r\nMS.Office.MSHTML.Remote.Code.Execution.\r\nThe FortiGuard Content Disarm and Reconstruction (CDR) service can detect the attack in real-time and prevent it\r\nby disarming the \"oleobject\" data from Microsoft Office files.\r\nAll relevant URLs have been rated as \"Malicious Websites\" by the FortiGuard Web Filtering service.\r\nFor a comprehensive list of Fortinet technologies that prevent exploitation of CVE-2022-30190, please refer to\r\nour Outbreak Alert Service page, “MSDT Follina.”\r\nAs these attacks require user interaction, it is also suggested that organizations regularly schedule user awareness\r\nand training simulations on how to spot a social engineering attack. Fortinet has multiple solutions designed to\r\ntrain users on how to understand and detect phishing threats:\r\nFortiEDR detects post-exploitation behavior associated with the CVE-2022-30190 vulnerability. A KB article\r\ndetailing how FortiEDR can mitigate this issue can be found here.\r\nWe suggest that organizations have their end users go through our FREE NSE training: NSE 1 – Information\r\nSecurity Awareness. It includes a module on Internet threats to train end-users on how to identify and protect\r\nthemselves from phishing attacks.\r\nIn addition, the FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user\r\nawareness and vigilance to phishing threats and train and reinforce proper practices when users encounter targeted\r\nphishing attacks.\r\nIOCs\r\nFiles:\r\n710370f6142d945e142890eb427a368bfc6c5fe13a963f952fb884c38ef06bfa\r\nfe300467c2714f4962d814a34f8ee631a51e8255b9c07106d44c6a1f1eda7a45\r\n3db60df73a92b8b15d7885bdcc1cbcf9c740ce29c654375a5c1ce8c2b31488a1\r\n4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784\r\nd118f2c99400e773b8cfd3e08a5bcf6ecaa6a644cb58ef8fd5b8aa6c29af4cf1\r\n764a57c926711e448e68917e7db5caba988d3cdbc656b00cd3a6e88922c63837\r\n8e986c906d0c6213f80d0224833913fa14bc4c15c047766a62f6329bfc0639bd\r\ne8f0a2f79a91587f1d961d6668792e74985624d652c7b47cc87367cb1b451adf\r\nhttps://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day\r\nPage 10 of 11\n\n4369f3c729d9bacffab6ec9a8f0e582b4e12b32ed020b5fe0f4c8c0c620931dc\r\n1f245b9d3247d686937f26f7c0ae36d3c853bda97abd8b95dc0dfd4568ee470b\r\nbf10a54348c2d448afa5d0ba5add70aaccd99506dfcf9d6cf185c0b77c14ace5\r\nc0c5bf6fe1d3b23fc89e0f8b352bd687789b5083ca6d8ec9acce9a9e2942be1f\r\n248296cf75065c7db51a793816d388ad589127c40fddef276e622a160727ca29\r\nd61d70a4d4c417560652542e54486beb37edce014e34a94b8fd0020796ff1ef7\r\n4f11f567634b81171a871c804b35c672646a0839485eca0785db71647a1807df\r\nURL(s):\r\nsputnikradio[.]net\r\nxmlformats[.]com\r\nexchange[.]oufca[.]com[.]au\r\n141[.]98[.]215[.]99\r\ntibet-gov[.]web[.]app\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day\r\nhttps://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day" ], "report_names": [ "analysis-of-follina-zero-day" ], "threat_actors": [ { "id": "709ceea7-db99-405e-b5a7-a159e6c307e0", "created_at": "2022-10-25T16:07:23.373699Z", "updated_at": "2026-04-10T02:00:04.571971Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [], "source_name": "ETDA:BackdoorDiplomacy", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "3b56d733-88da-4394-b150-d87680ce67e4", "created_at": "2023-01-06T13:46:39.287189Z", "updated_at": "2026-04-10T02:00:03.274816Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [ "BackDip", "CloudComputating", "Quarian" ], "source_name": "MISPGALAXY:BackdoorDiplomacy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "401a2035-ed5a-4795-8e37-8b7465484751", "created_at": "2022-10-25T15:50:23.616232Z", "updated_at": "2026-04-10T02:00:05.304705Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [ "BackdoorDiplomacy" ], "source_name": "MITRE:BackdoorDiplomacy", "tools": [ "Turian", "China Chopper", "Mimikatz", "NBTscan", "QuasarRAT" ], "source_id": "MITRE", "reports": null }, { "id": "3b1367ff-99dc-41f0-986f-4a1dcb41bbbf", "created_at": "2022-10-25T16:07:24.273478Z", "updated_at": "2026-04-10T02:00:04.918037Z", "deleted_at": null, "main_name": "TA413", "aliases": [ "White Dev 9" ], "source_name": "ETDA:TA413", "tools": [ "Exile RAT", "ExileRAT", "Sepulcher" ], "source_id": "ETDA", "reports": null }, { "id": "9792e41f-4165-474b-99fa-e74ec332bd87", "created_at": "2023-01-06T13:46:38.986789Z", "updated_at": "2026-04-10T02:00:03.172308Z", "deleted_at": null, "main_name": "Lucky Cat", "aliases": [ "TA413", "White Dev 9" ], "source_name": "MISPGALAXY:Lucky Cat", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434945, "ts_updated_at": 1775792274, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ff5a02c1589800a3406edf149325d5b620acf5a2.pdf", "text": "https://archive.orkl.eu/ff5a02c1589800a3406edf149325d5b620acf5a2.txt", "img": "https://archive.orkl.eu/ff5a02c1589800a3406edf149325d5b620acf5a2.jpg" } }