This forum post is to notify about a zero-day vulnerability that has been reported in Microsoft Security Diagnostic Tool [CVE-2022-30190]. Discovered by an independent cybersecurity researcher team nao_sec, the flaw has been dubbed as Follina.
Remote Code Execution
As per MSRC's blog,
"A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights."
Microsoft has released workarounds to mitigate the vulnerability by disabling the MSDT URL Protocol. Refer here for more info.
To detect the affected endpoints:
1) Log in to the Vulnerability Manager Plus web console.
2) Navigate to Threats > Software Vulnerabilities
3) Search for CVE-2022-30190 to find the affected systems.
4) Under the Affected Systems column, you'll get a total count of systems affected by this vulnerability.
5) Clicking on it will reveal the affected systems.
To mitigate the vulnerability:
Download the mitigation script from here.
Rename the file as <file_name>.bat
Run the script using command prompt with admin privileges in the affected systems.