CVE-2022-30190
📋 TL;DR
This vulnerability allows remote code execution when Microsoft Support Diagnostic Tool (MSDT) is invoked via URL protocol from applications like Microsoft Word. Attackers can execute arbitrary code with the privileges of the calling application, potentially leading to full system compromise. Affected users include anyone running vulnerable versions of Microsoft Office on Windows systems.
💻 Affected Systems
- Microsoft Office
- Microsoft Word
- Microsoft Outlook
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 20h2 by Microsoft
Windows 10 21h1 by Microsoft
Windows 10 21h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 7 by Microsoft
Windows 8.1 by Microsoft
Windows Rt 8.1 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover where attacker gains administrative privileges, installs persistent malware, exfiltrates sensitive data, and creates backdoors for future access.
Likely Case
Attacker executes malicious payload with user privileges, leading to data theft, ransomware deployment, or lateral movement within the network.
If Mitigated
Limited impact with proper application control policies, network segmentation, and user privilege restrictions preventing successful exploitation.
🎯 Exploit Status
Exploits in the wild since June 2022, requires user to open malicious Office document but no further authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: June 2022 security updates
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
Restart Required: Yes
Instructions:
1. Apply Microsoft's June 2022 security updates via Windows Update. 2. For Office 365, ensure automatic updates are enabled. 3. For enterprise deployments, deploy patches through WSUS or SCCM.
🔧 Temporary Workarounds
Disable MSDT URL Protocol
windowsPrevents MSDT from being invoked via URL protocol, blocking the exploitation vector
reg add "HKCU\Software\Classes\ms-msdt" /v "URL Protocol" /d "" /f
Block Office from spawning child processes
windowsPrevents Office applications from launching child processes via Attack Surface Reduction rule
Add-MpPreference -AttackSurfaceReductionRules_Ids d4f940ab-401b-4efc-aadc-ad5f3c50688a -AttackSurfaceReductionRules_Actions Enabled
🧯 If You Can't Patch
- Implement application control policies to block MSDT execution
- Use network segmentation to isolate Office systems and restrict internet access
🔍 How to Verify
Check if Vulnerable:
Check if MSDT URL protocol handler exists in registry: reg query "HKCU\Software\Classes\ms-msdt"Check Version:
wmic product get name,version | findstr "Office"Verify Fix Applied:
Verify June 2022 security updates are installed via: wmic qfe list | findstr "KB5014692 KB5014699"📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing msdt.exe spawned from Office processes
- Process creation events for msdt.exe with suspicious command-line arguments
Network Indicators:
- Outbound connections from msdt.exe to external IPs
- HTTP requests with ms-msdt:// protocol in web logs
SIEM Query:
Process Creation where (Image contains "msdt.exe" AND ParentImage contains "WINWORD.EXE") OR (CommandLine contains "ms-msdt" AND ParentImage contains "WINWORD.EXE")🔗 References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
- http://packetstormsecurity.com/files/167438/Microsoft-Office-Word-MSDTJS-Code-Execution.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30190
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-30190
