CVE-2022-30190 Detection: Updates on Microsoft Windows RCE Vulnerability

CVE-2022-30190 aka Follina

Let’s start with a short rundown of developments regarding Windows zero-day vulnerability (CVE-2022-30190), aka Follina.

Back in April 2022, a research team known under the moniker CrazymanArmy warned Microsoft of a new zero-day RCE vulnerability in one of their products. The tech corporation opted not to address the issue at that point. On May 27, 2022, this RCE vulnerability in Windows was publicly disclosed, known to affect Microsoft Support Diagnostic Tool (MSDT), starting to make waves in the cybersecurity community. As of May 31, 2022, this Windows vulnerability is finally acknowledged and tracked as CVE-2022-30190, yet it is still not officially referred to as a zero-day by Microsoft.

Detect CVE-2022-30190

Follow the updates of detection content related to CVE-2022-30190 (aka Follina) in the Threat Detection Marketplace repository of the SOC Prime Platform. Harnessing the power of collaborative cyber defense, SOC Prime Team has recently released a batch of dedicated Sigma rules for CVE-2022-30190 detection:

Sigma rules to detect exploitation attempts of CVE-2022-30190 vulnerability

Smash the View Detections button to access an exhaustive list of relevant detection content associated with Follina zero-day vulnerability and tagged accordingly. Aspiring and experienced threat hunters can challenge their knowledge and skills in the area of threat detection by joining the Threat Bounty Program.

View Detections Join Threat Bounty

CVE-2022-30190 Description

On May 30, 2022, Microsoft released an advisory on CVE-2022-30190, along with the guide from their Security Response Center, offering temporary workarounds until the fixes are released.

The moniker of this RCE vulnerability, affecting MSDT, springs from the name of the original weaponized Word sample uploaded to VirusTotal, which included a 0438 number combination. A security researcher Kevin Beaumont assigned the name Follina as he recognized the number since it also stands for a dialing code for the area of comune Follina in Italy.

At the moment, there are no patches to fix the bug, so adversaries can exploit even the latest Office versions. The affected Microsoft product, MSDT, is, unfortunately, a large and attractive playground for threat actors, so it is highly recommended to keep a finger on the pulse of CVE-2022-30190 developments and scan your environment for possible exploitation attempts.

For more details on this vulnerability, please refer to the CVE-2022-30190 analysis released on the SOC Prime blog on May 30, 2022.

Test the content streaming capabilities and help your organization empower daily SOC operations with detection content developed by security leaders. Keep the finger on the pulse of the fast-paced environment of cybersecurity risks and get the best detection solutions with SOC Prime.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts