CVE-2022-30190 – Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Zero-Day Vulnerability in Windows

Share :

On Friday, 27 May 2022, Security vendor nao_sec identified a malicious document leveraging a zero-day remote code execution RCE vulnerability (CVE-2022-30190) in Microsoft Windows Support Diagnostic Tool (MSDT) with a High severity CVSS 7.8 score.

The actively exploited vulnerability exists when MSDT is called using the URL protocol from a calling application, such as Microsoft Word. By sending a specially crafted Word document that calls out to a remote URL and downloads a malicious payload, a threat actor could gain persistence and run arbitrary code with the privileges of the calling application.

Note: Successful exploitation requires one of the following conditions:

  • A malicious document (such as .doc and .docx) is opened by a targeted user and “Enable editing” is clicked.

  • A malicious .rtf document is previewed or opened by a targeted user.

Based on the publicly available Proof of Concept (PoC) exploit code and the ease of exploitation, Arctic Wolf assesses this vulnerability to be a high risk and strongly recommends that customers apply the applicable workaround provided by Microsoft promptly.

Recommendations for CVE-2022-30190

Recommendation: Explore Applying Workaround Provided by Microsoft

As of 31 May 2022, there is no patch available from Microsoft to mitigate the vulnerability, however, there is guidance provided for a workaround.

Note: Arctic Wolf recommends the following change management best practices for testing the workaround in a dev environment before deploying to production systems.

Review Microsoft’s guidance to apply the workaround to your affected system(s):

References

James Liolios

James Liolios

James Liolios is a Senior Threat Intelligence Researcher at Arctic Wolf, where he keeps a watchful eye on the latest threats and threat actors to understand the potential impact to Arctic Wolf customers. He has a background of 9 years' experience in many areas of cybersecurity, holds a bachelor's degree in Information Security, and is also CISSP certified.
Share :
Table of Contents
Categories