CVE-2022-30190: Microsoft Windows Support Diagnostic Tool (MSDT) Remote

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability. A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run code with the privileges of the calling application.

• CISA KEV-listed (remediation due 2022-07-05)
• used in ransomware campaigns
• EPSS 93.6% (99.8% percentile)

Detection rules

• Potential Exploitation Attempt From Office Application high
• Suspicious Set Value of MSDT in Registry (CVE-2022-30190) medium
• File Creation In Suspicious Directory By Msdt.EXE high
• Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE high
• Troubleshooting Pack Cmdlet Execution medium
• Execute Pcwrun.EXE To Leverage Follina high
• Potential Arbitrary Command Execution Using Msdt.EXE high
• Suspicious Cabinet File Execution Via Msdt.EXE medium
• Suspicious MSDT Parent Process high
• Suspicious Outlook Child Process high
• Sdiagnhost Calling Suspicious Child Process high

Browse the CVE database

Read the full analysis on IntelFusions