Follina / CVE-2022-30190: New Microsoft Office zero-day

Security researchers have discovered a new Microsoft Office zero-day vulnerability that is being used in attacks to execute maliciously PowerShell commands via Microsoft Diagnostic Tool (MSDT) simply by opening a Word document.


In Microsoft Defender’s Attack Surface Reduction (ASR) activating the rule “Block all Office applications from creating child processes” in Block mode will prevent this from being exploited.

Disable the MSDT URL Protocol.

Be sure to make a backup of the registry settings before using this mitigation.

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability by MSRC