• Language chooser
    • USA (English)
    • France (Français)

virus logo Outbreak Alert

Microsoft MSDT Follina Vulnerability

Released: May 31, 2022

Download PDF »

MSDT Follina

High Severity

Microsoft Vendor

Vulnerability Type

A 0-day Windows MSDT Vulnerability

A vulnerability on Microsoft Support Diagnostic Tool (MSDT) in Microsoft Windows has been spotted in the wild that allows remote code execution. Learn More »

Common Vulnerabilities and Exposures

CVE-2022-30190

Background

A cybersecurity researcher from nao_sec spotted a vulnerability on a Microsoft Word document uploaded in VirusTotal. The document abuses the MSDT URI scheme to download and run malicious payload. The document references "0438" which is an area code for Follina municipality in Italy.

Threat Radar Overall Score:
CVSS Rating 7.0
FortiRecon Score 95/100
Known Exploited Yes
Exploit Prediction Score 97.14%
FortiGuard Telemetry 16

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


May 30, 2022: Microsoft released a security update at
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190


May 30, 2022: Microsoft posted a guidance at
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190

May 30, 2022: The Hacker News published an article at
https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT

  • AV

  • AV (Pre-filter)

  • IPS

DETECT

  • Outbreak Detection

  • Threat Hunting

  • Content Update

RESPOND

  • Assisted Response Services

  • Automated Response

RECOVER

  • NOC/SOC Training

  • End-User Training

IDENTIFY

  • Attack Surface Hardening

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
31.192.105.28 ip Active
193.142.59.169 ip Active
172.86.75.49 ip Active
185.70.184.44 ip Active
193.109.69.52 ip Active
73cceb63-7ecd-45e2-9eab-f8d98aab177f.usrfiles.com domain Active
146.0.77.15 ip Active
193.142.59.152 ip Active
160.20.145.111 ip Active
45.77.185.151 ip Active
osendata.com domain Active
84.32.188.96 ip Active
146.70.79.117 ip Active
frge.io domain Active
172.105.235.94 ip Active
84.32.188.29 ip Active
185.64.106.39 ip Active
710faabf217a5cd3431670558603a45edb1e01970f2a871... file Active
195.58.49.68 ip Active
9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2... file Active
42502d2a-e7ed-4a16-9f11-33ffe6c54021.usrfiles.com domain Active
45.77.19.75 ip Active
4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9fee... file Active
87.251.64.5 ip Active
domtern.com domain Active
710370f6142d945e142890eb427a368bfc6c5fe13a963f9... file Active
fe300467c2714f4962d814a34f8ee631a51e8255b9c0710... file Active
exchange.oufca.com.au domain Active
https://www.sputnikradio.net/radio/news/3134.html url Active
https://www.xmlformats.com/office/word/2022/wor... url Active
sputnikradio.net domain Active
xmlformats.com domain Active
cssformats.com domain Active
http://xmlformats.com/office/word/2022 url Active
http://xmlformats.com/office/word/2022/wordproc... url Active
http://xmlformats.com/office/word/2022/wordproc... url Active
141.105.65.149 ip Active
3206fe87e2874db37239d64779c1f504cfca528cef8f5c2... file Active
52945af1def85b171870b31fa4782e52 file Active
d1fe26b84043ac11fa5ddb90906e6d56 file Active
8e986c906d0c6213f80d0224833913fa14bc4c15c047766... file Active
coolrat.xyz domain Active
e8f0a2f79a91587f1d961d6668792e74985624d652c7b47... file Active
http://109.248.59.74/ url Active
http://141.98.215.99/ url Active
miniformats.com domain Active
109.248.59.74 ip Active
141.98.215.99 ip Active
1d2e14a5b728a225123c12a1bbd29fca644e92c88777242... file Active
1efa37c4b29cbe15b910c7b7820dec06c21728ec9700de8... file Active
2dc9f4206245a600456b35f8f405e2b84a028cbaaba0252... file Active
4cb8bc2e115b515185f35d2b230c891da5464fb5541e163... file Active
5d76896dcd50526c71d93085d1f88bb61fd86c1e51630bf... file Active
66a1d2b11ff96785b5664c5b975b3391d3f9d452dec40bd... file Active
70d12cd5e42d5faa2b52ef7fb664a0f3ec4a409d74b58e3... file Active
755d0649ab649f4857c0cc2a6fdcc775c8163b92821048a... file Active
76d0866107cb1e4925c2cad870993841baee85d7ec351f7... file Active
7d1eb5c2fada6244999e34e88116412fa013eb705816dbf... file Active
8ffbc29a27cfd7d19a4016be844a6df8ae6a9c5e75dede1... file Active
98f248207a403f914babbe5966aae7082b5c1974ab0af69... file Active
ad9cc6e86f35fa43f1c884188d9bf44321c547365ab2367... file Active
bdbe5423a7732b60b836042f9fd2f21449ed7547b060680... file Active
e2dab95e79baf57b4d0b61aacb7c25b40340bbaf3be080d... file Active
fc55c4610194548c40b9cd0a1a36ea01a1319dcab66951c... file Active
http://159.75.19.3:8000/index.html url Active
http://coolrat.xyz/Client.exe url Active
http://coolrat.xyz/Loading.html url Active
708b-27-122-14-41.ap.ngrok.io domain Inactive
ef75-27-122-14-41.ap.ngrok.io domain Active
https://708b-27-122-14-41.ap.ngrok.io/index.html url Active
https://ef75-27-122-14-41.ap.ngrok.io/index.html url Active
https://212.138.130.24:9443/authenticationendpo... url Active
248296cf75065c7db51a793816d388ad589127c40fddef2... file Active
4dda59b51d51f18c9071eb07a730ac4548e36e0d14dbf00... file Active
http://212.138.130.8/ url Active
http://212.138.130.8/analysis.html url Active
http://212.138.130.24:9443/authenticationendpoi... url Active
212.138.130.24 ip Active
4fdec1c9111132a7f57fabfa83a6b7f73b3012d9100a790... file Active
http://www.xmlformats.com/ url Active
4f643bf57abe70e3c4ed64f05167da5d6c35f2dac1d7fda... file Active
f531a7c270d43656e34d578c8e71bc39 file Active
tibet-gov.web.app domain Active
d61d70a4d4c417560652542e54486beb37edce014e34a94... file Active
https://exchange.oufca.com.au/owa/auth/15.1.237... url Active
oufca.com.au domain Active
159.75.19.3 ip Active
159.75.19.3:8000 ip Active
212.138.130.24:9443 ip Active
7908d7095ed1cde36b7fd8f45966fc56f0b72ca131121fd... file Active
7fafbd8d6b15279ca377d5d871ecb108284fc28f905b734... file Active
cf2f412ea94253358d3b2a4eebdf2067c6952b1921f0cb7... file Active
https://nod-update.it/check-updates/c/updates/u... url Active
https://nod-update.it/getsearchresults url Active
https://nod-update.it/ms-msdt.exe url Active
https://nod-update.it/siteindex/b/ url Active
nod-update.it domain Active
http://palau.voipstelecom.com.au/robots.txt url Active
http://palau.voipstelecom.com.au/favicon.svg url Active
http://palau.voipstelecom.com.au/Sevntx64.exe url Active

References

Sources of information in support and relation to this Outbreak and vendor.


CISA

Learn More »
Threat Signal

Learn More »
About FortiGuard Outbreak Alerts

Learn More »