Cyber Resilience

CVE-2022-30190

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 01 June 2022

Published
01 June 2022
Modified
30 October 2025
KEV Added
14 June 2022
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.9937 99.9th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2022-30190 is a high-severity an unspecified weakness vulnerability in Microsoft Windows Server 2012. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Deeper analysis

A remote code execution vulnerability exists in the Microsoft Support Diagnostic Tool (MSDT) when it is invoked through its URL protocol handler by another application such as Microsoft Word. Successful exploitation allows an attacker to execute arbitrary code with the privileges of the calling process, enabling actions such as installing programs, viewing or modifying data, and creating accounts within the user's security context. The flaw carries a CVSS 3.1 score of 7.8 and is tracked under CVE-2022-30190.

An attacker can trigger the vulnerability by supplying a malicious document or link that causes the calling application to invoke MSDT via the ms-msdt: URL scheme. No special privileges are required beyond the ability to supply content that the victim opens or interacts with, after which code runs in the context of the targeted application.

Microsoft Security Response Center guidance and the associated security advisory direct administrators to apply the published mitigations, including disabling the MSDT URL protocol handler where feasible and following the specific steps outlined in the MSRC blog entry. The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.

The associated EPSS score has reached a peak of 0.9746 with a current value of 0.9360, indicating sustained and substantial exploitation interest following disclosure.

EU & UK References

Vulnerability details

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The…

more

attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. Please see the MSRC Blog Entry for important information about steps you can take to protect your system from this vulnerability.

CWE(s)
KEV Date Added
14 June 2022

Related Threats

CVEs Like This One

CVE-2021-34527Same product: Microsoft Windows 10 1507both on KEV
CVE-2021-40444Same product: Microsoft Windows 10 1507both on KEV
CVE-2021-1675Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-24985Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-24991Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-24054Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-26633Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-24993Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-59230Same product: Microsoft Windows 10 1507both on KEV
CVE-2025-24990Same product: Microsoft Windows 10 1507both on KEV

Affected Assets

microsoft
windows 10 1507
≤ 10.0.10240.19325
microsoft
windows 10 1607
≤ 10.0.14393.5192
microsoft
windows 10 1809
≤ 10.0.17763.3046
microsoft
windows 10 20h2
≤ 10.0.19042.1766
microsoft
windows 10 21h1
≤ 10.0.19043.1766
microsoft
windows 10 21h2
≤ 10.0.19044.1766
microsoft
windows 11 21h2
≤ 10.0.22000.739
microsoft
windows 7
all versions
microsoft
windows 8.1
all versions
microsoft
windows rt 8.1
all versions
+6 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly supports the registry modification that disables the MSDT URL protocol handler, blocking the invocation path used by this CVE.

prevent

Requires timely application of vendor patches that remediate the MSDT input-processing flaw exploited by CVE-2022-30190.

prevent

Enforces least functionality by removing or disabling unnecessary protocol handlers and diagnostic features that enable the remote code execution vector.

References