CVE-2022-35743
📋 TL;DR
This vulnerability allows remote code execution through the Microsoft Windows Support Diagnostic Tool (MSDT) when processing specially crafted files. Attackers can exploit this by tricking users into opening malicious documents or visiting compromised websites. All Windows systems with MSDT enabled are potentially affected.
💻 Affected Systems
- Microsoft Windows
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 20h2 by Microsoft
Windows 10 21h1 by Microsoft
Windows 10 21h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 7 by Microsoft
Windows 8.1 by Microsoft
Windows Rt 8.1 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining SYSTEM privileges, enabling data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Limited user account compromise leading to data exfiltration, credential harvesting, or lateral movement within the network.
If Mitigated
Attack fails due to patched systems, restricted MSDT functionality, or proper security controls blocking malicious payloads.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file/URL). Multiple proof-of-concept exploits have been published since disclosure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: July 2022 security updates (KB5015807, KB5015814, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35743
Restart Required: Yes
Instructions:
1. Apply July 2022 Windows security updates via Windows Update. 2. For enterprise environments, deploy patches through WSUS or SCCM. 3. Verify patch installation with 'wmic qfe list' command.
🔧 Temporary Workarounds
Disable MSDT URL Protocol
windowsPrevents MSDT from being invoked via URL protocol handlers
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics" /v "EnableDiagnostics" /t REG_DWORD /d 0 /f
Remove MSDT File Association
windowsRemoves file type associations that trigger MSDT
assoc .diagcab=
assoc .diagpkg=
🧯 If You Can't Patch
- Implement application allowlisting to block MSDT execution
- Deploy network segmentation to limit lateral movement from compromised systems
🔍 How to Verify
Check if Vulnerable:
Check if July 2022 security updates are installed via 'wmic qfe list | findstr KB5015807' or similar KB numbersCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify patch installation in Windows Update history or using 'systeminfo | findstr /B /C:"Hotfix(s)"'📡 Detection & Monitoring
Log Indicators:
- Event ID 1 (Process Creation) showing msdt.exe with suspicious parameters
- Windows Defender logs showing blocked MSDT exploits
Network Indicators:
- Outbound connections from msdt.exe to suspicious IPs
- HTTP requests containing MSDT protocol handlers
SIEM Query:
Process Name="msdt.exe" AND (CommandLine Contains "-id" OR CommandLine Contains "-af")