Skip to main content

CVE-2022-30190 - Updated Guidance for MSDT Remote Code Execution Zero-Day Vulnerability in Windows

On Friday, May 27, Security vendor nao_sec identified a malicious document leveraging a zero-day RCE vulnerability (CVE-2022-30190) in Microsoft Windows Support Diagnostic Tool (MSDT).

The actively exploited vulnerability exists when MSDT is called using the URL protocol from a calling application, such as Microsoft Word. By sending a specially crafted Word document that calls out to a remote URL and downloads a malicious payload, a threat actor could gain persistence and run arbitrary code with the privileges of the calling application.

Note: Successful exploitation requires one of the following conditions:

  • A malicious document (such as .doc and .docx) is opened by a targeted user and "Enable editing" is clicked.
  • A malicious .rtf document is previewed or opened by a targeted user.

Based on the publicly available Proof of Concept (PoC) exploit code and the ease of exploitation, Arctic Wolf assesses this vulnerability to be a high risk and strongly recommends that you to review the recommendations below for guidance on how to best mitigate this vulnerability promptly.

Recommendations for CVE-2022-30190

Recommendation #1: Apply Patch for CVE-2022-30190 to Windows Systems

Our primary recommendation is to apply the Microsoft provided patch for this vulnerability as soon as possible against all affected Windows systems.

Note: Arctic Wolf recommends the following change management best practices for testing the workaround in a dev environment before deploying to production systems.

Patch information for each affected Windows system can be found here:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190

The patch is available for the following Windows systems:

  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 & 2012 R2
  • Windows Server 2008 R2
  • Windows 11
  • Windows 10 (versions 1607, 1809, 20H2, 21H1, 21H2)
  • Windows 8.1
  • Windows 7 Service Pack 1

Recommendation #2: Explore Applying Workaround Provided by Microsoft

If unable to apply the patch for CVE-2022-30190 promptly to mitigate the vulnerability, there is guidance provided for a workaround from Microsoft.

Note: Arctic Wolf recommends the following change management best practices for testing the workaround in a dev environment before deploying to production systems.

Review Microsoft’s guidance to apply the workaround to your affected system(s).

References

About the Author

Sule Tatar is a Product Marketing Manager at Arctic Wolf, where she does research on security trends and brings groundbreaking cybersecurity products and services to market. She has extensive experience in the B2B cybersecurity space and holds a bachelor's degree in computer engineering and an MBA.

Profile Photo of Sule Tatar