Article: New Microsoft Office Zero-Day ‘Follina’ Exploited in Remote Code Execution Attacks (CVE-2022-30190)

Update 06/15/2022: As a part of June’s Patch Tuesday, Microsoft has just released a patch for this vulnerability. I would highly advise that you update your Windows with the latest set of patches RIGHT NOW!

h0w1tzr’s Commentary: This bug is pretty scary because it doesn’t need to have any macros to be enabled. It uses the default HTML rendering ability of Office to trigger this vulnerability. Beware of spearphishing attempts going forward.

Security researchers recently discovered a new Microsoft Office zero-day flaw exploited in PowerShell remote code execution attacks. The new vulnerability, tracked as CVE-2022-30190, would let hackers execute malicious PowerShell commands through Microsoft Diagnostic Tool (MSDT).

Researchers believe the flaw, dubbed “Follina,” has been around for a while, as they traced it back to a Microsoft report made on April 12. The vulnerability leverages Office functionality to download an HTML file, which exploits the MSDT to let attackers execute code remotely on compromised devices.

To make matters worse, Follina works without elevated privileges, can bypass Windows Defender detection, and doesn’t need macro code enabled to run scripts or execute binaries. The flaw was discovered by accident last Friday when security researcher nao_sec stumbled upon a malicious Word document submitted to a virus scanning platform.


Leave a Reply