CVE-2022-30190
Published: 01 June 2022
Summary
CVE-2022-30190 is a high-severity an unspecified weakness vulnerability in Microsoft Windows Server 2012. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Deeper analysis
A remote code execution vulnerability exists in the Microsoft Support Diagnostic Tool (MSDT) when it is invoked through its URL protocol handler by another application such as Microsoft Word. Successful exploitation allows an attacker to execute arbitrary code with the privileges of the calling process, enabling actions such as installing programs, viewing or modifying data, and creating accounts within the user's security context. The flaw carries a CVSS 3.1 score of 7.8 and is tracked under CVE-2022-30190.
An attacker can trigger the vulnerability by supplying a malicious document or link that causes the calling application to invoke MSDT via the ms-msdt: URL scheme. No special privileges are required beyond the ability to supply content that the victim opens or interacts with, after which code runs in the context of the targeted application.
Microsoft Security Response Center guidance and the associated security advisory direct administrators to apply the published mitigations, including disabling the MSDT URL protocol handler where feasible and following the specific steps outlined in the MSRC blog entry. The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.
The associated EPSS score has reached a peak of 0.9746 with a current value of 0.9360, indicating sustained and substantial exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-35396
Vulnerability details
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The…
more
attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. Please see the MSRC Blog Entry for important information about steps you can take to protect your system from this vulnerability.
- CWE(s)
- KEV Date Added
- 14 June 2022
Related Threats
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly supports the registry modification that disables the MSDT URL protocol handler, blocking the invocation path used by this CVE.
Requires timely application of vendor patches that remediate the MSDT input-processing flaw exploited by CVE-2022-30190.
Enforces least functionality by removing or disabling unnecessary protocol handlers and diagnostic features that enable the remote code execution vector.