QID 91909

Date Published: 2022-05-31

QID 91909: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution (RCE) Vulnerability (Follina) (Zero Day)

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word.

QID Detection Logic (Authenticated):
This QID checks for msdt.exe in Windows\System32 and verifies if the mitigations are applied.

Note: Microsoft has not released any patch or KB numbers yet. Detection will be updated once advisory is updated.

An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights.

  • CVSS V3 rated as High - 7.8 severity.
  • CVSS V2 rated as Critical - 9.3 severity.
    • Solution
    Microsoft has not released any patch yet. For more information please refer to CVE-2022-30190Workaround:

    Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system.
    Execute the command "reg delete HKEY_CLASSES_ROOT\ms-msdt /f" to disable the MSDT protocol.

    Kindly refer to CVE-2022-30190 for workaround info

    Vendor References

    CVEs related to QID 91909

    CVE-2022-30190 |
    Software Advisories
    Advisory ID Software Component Link
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].