top of page

Microsoft Office "Follina" - MSDT Zero Day Code Execution Vulnerability

UPDATE: This vulnerability has now been assigned to CVE-2022-30190 and Microsoft has issued guidance, see reference below.

Application Details

MSDT - (Microsoft Diagnostic Tool) Invokes a troubleshooting pack at the command line or as part of an automated script, and enables additional options without user input.


Japanese security researcher @nao_sec reported on Twitter that they had discovered a zero day exploit inside a malicious Word document. This document loads a HTML file from a remote webserver. The ms-msdt MSProtocol URI is then used to load the code to perform the code execution. Security researcher Kevin Beaumont reported that the exploit works even with Office macros disabled and has deemed the exploit "Follina" (the area code of Follina in Italy is 0438 which is the file reference of the sample) . As more research is being carried out on this exploit we are seeing different payloads being used and will update our information as necessary.


This is an example of a PoC which has been published and contains similar characteristics to others that we have seen:


    window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX('calc.exe'))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe \"";


By creating a traffic file and corresponding rule we are able to detect attempts to perform remote code execution on an affected system.


Idappcom has created signature 8022755 along with a traffic file.


Traffic IQ

If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here:


bottom of page