CVE REFERENCE | HIGH SEVERITY
Active ThreatUpdated 8 min read

CVE-2022-30190 Explained: Follina, the Zero-Click Microsoft Office RCE

A Microsoft Support Diagnostic Tool vulnerability triggered by opening or previewing a Word document. No macros. No user clicks. Full remote code execution from a weaponized .docx file, and no security bar warning.

Sources:Microsoft MSRC|nao_sec Research|CISA KEV|NIST NVD
7.8
CVSS Score
0
Macro prompts required
Preview
Pane can trigger on some configs
2022
Patched June 14 Patch Tuesday

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2022-30190, nicknamed Follina, was discovered by nao_sec researchers on May 27, 2022 and had already been exploited in the wild before discovery, samples date to April 2022.

The vulnerability abuses the ms-msdt:// URI scheme, a Windows protocol handler that launches the Microsoft Support Diagnostic Tool. A specially crafted Office document containing an external OLE template reference forces Word to fetch a malicious HTML file from an attacker-controlled server, which executes an ms-msdt:// URL that runs arbitrary PowerShell code.

What makes Follina uniquely dangerous: it requires no macros. Office documents with macro content display a yellow security bar requiring user acknowledgment. Follina uses OLE template references, a legitimate Office feature, which raises no such warning. On some Windows configurations, simply previewing the file in Windows Explorer's Preview Pane without opening it triggers the exploit.

How the Follina Exploit Chain Works

A malicious .docx file contains an OLE template relationship entry pointing to an external attacker-controlled URL instead of a local template file. When Word opens the document (or Windows Explorer generates a preview), Word fetches the external URL.

The attacker's server returns an HTML file containing a redirect to an ms-msdt:// URI. This URI invokes MSDT.exe with attacker-specified parameters, including an IT_BrowseForFile parameter embedding a PowerShell command. MSDT.exe executes this PowerShell command as the current user with no UAC prompt and no macro warning displayed.

1

Craft Malicious DOCX

Attacker creates a .docx file with an OLE template XML relationship pointing to an attacker-controlled HTTP URL instead of a local template.

2

Victim Opens or Previews Document

Victim opens the document in Word, or previews it in Windows Explorer. No macro warning is displayed, the file appears clean.

3

Word Fetches External Template

Word's template loading code fetches the external URL. The attacker's server returns an HTML file with the payload.

4

HTML Invokes ms-msdt:// URI

The HTML redirects to an ms-msdt:// URI with embedded PowerShell code in the IT_BrowseForFile parameter.

5

MSDT Executes PowerShell as Current User

Windows invokes MSDT.exe, which processes the URI and executes the embedded PowerShell command, achieving code execution with no further user interaction.

Patch and Mitigation for CVE-2022-30190

Microsoft patched Follina on June 14, 2022 as part of Patch Tuesday. Before the patch, Microsoft published a registry-based workaround to disable the ms-msdt:// protocol handler entirely.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

The bottom line

Follina proved that macro security controls, the industry's primary defense against malicious Office documents for two decades, do not cover all Office code execution paths. A legitimate template feature became a zero-click RCE vector. Apply the June 2022 patches, disable the ms-msdt protocol handler as defense-in-depth, and ensure Protected View is enforced and not bypassed by Group Policy exceptions.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is Follina (CVE-2022-30190)?

Follina is an RCE vulnerability in the Microsoft Support Diagnostic Tool (MSDT) triggered via the ms-msdt:// URI scheme embedded in a malicious Office document. No macros are used and no Enable Content prompt appears. In some configurations, previewing the file in Windows Explorer triggers the exploit before the document is fully opened.

How do I fix Follina?

Apply Microsoft's June 2022 patch. As an immediate workaround, disable the MSDT URL protocol: run 'reg delete HKEY_CLASSES_ROOT\ms-msdt /f' from an elevated command prompt. This prevents MSDT from being invoked remotely.

Does disabling macros prevent Follina?

No. Follina does not use macros. It exploits the ms-msdt:// URL handler embedded in the document's XML relationship file. Macro security settings, Protected View, and Attack Surface Reduction rules do not block the primary exploit path.

Why does Protected View not prevent CVE-2022-30190?

Microsoft Office Protected View blocks macros and active content from documents opened from the internet or email attachments. Follina exploits OLE template references, a legitimate Word feature, not macros. The OLE template fetch occurs via Word's template loading mechanism in a different code path from Protected View's active content restrictions. On some Windows configurations, even previewing a Follina-weaponized document in Windows Explorer's Preview Pane triggers the exploit before the file is opened, completely bypassing Protected View. The most effective mitigation is enabling the ASR rule that blocks Office from fetching external OLE templates (GUID 3b576869-a4ec-4529-8536-b80a7769e899).

Can email filtering stop Follina?

Email filtering can remove malicious .docx attachments if the file hash matches known Follina samples. However, the malicious document itself may appear benign since it contains only a legitimate OLE template reference pointing to an external URL with no embedded malware. The payload is fetched from an attacker-controlled URL when the document opens. Sandbox-detonating email security solutions that detonate attachments and observe network connections can detect the malicious outbound fetch. Blocking Office processes from making outbound HTTP connections via ASR rules or endpoint firewall policies is more reliable than signature-based filtering.

Was CVE-2022-30190 exploited by nation-state actors?

Yes. Before the June 14, 2022 patch, multiple threat actor groups exploited Follina. TA413, a Chinese APT targeting Tibetan organizations, was among the first confirmed users. Transparent Tribe (APT36, Pakistani nexus) used Follina in campaigns against Indian government and defense personnel. Multiple European governments also reported targeted exploitation. The variety of threat actors reflects Follina's ease of weaponization: no macros required, no security prompt to dismiss, and the ability to trigger on document preview.

Sources & references

  1. Microsoft MSRC
  2. nao_sec Research
  3. CISA KEV
  4. NIST NVD

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.