May 31, 2022 

‘Follina’: A Microsoft 0-Day RCE Vulnerability Exploited in the Wild

Microsoft has released an advisory regarding a new 0-day remote code execution vulnerability in Microsoft Windows support diagnostic tool (MSDT). The vulnerability is exploited in the wild. 

Named ‘Follina’ by the cybersecurity community, Microsoft have not released a patch for this vulnerability yet, but a temporary workaround is available. 

The vulnerability

• CVE-2022-30190 – ‘Follina’ (CVSS 3.1: 7.8, High Severity) – A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. 

Affected Products

The following is a list of affected products as reported by multiple researchers, keep in mind that other, yet unreported products may also be affected: 

• Microsoft Office 365 Current Channel – Prior to May 2022 patch. 
• Microsoft Office 365 Semi-Annual Channel. 
• Microsoft Office 2021 – Prior to May 2022 patch. 

• Microsoft Office 2019. 
• Microsoft Office 2016. 

Workaround

Until Microsoft releases a proper patch, CYREBRO recommends applying the following workaround: 

• Disable the MSDT URL Protocol: 

1. Run Command Prompt as Administrator. 
2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“. 
3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”. 

How to undo the workaround:

1. Run Command Prompt as Administrator. 
2. To back up the registry key, execute the command “reg import filename”. 

References: Microsoft Advisory.