Skip to main content

CVE-2022-30190 - MSDT RCE

Download With Dependencies

This pack handles MSDT RCE CVE-2022-30190, aka Follina vulnerability, a 0-day exploit in Microsoft MSDT protocol handler

This pack is part of the Rapid Breach Response pack.

On May 27th, a new Microsoft Office Zero-Day was discovered by Nao_sec.

The new Zero-Day is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word.

On May 30th, Microsoft assigned CVE-2022-30190 to the MSDT vulnerability, aka Follina vulnerability.

This playbook includes the following tasks:

  • Collect detection rules.
  • Exploitation patterns hunting using Cortex XDR - XQL Engine and 3rd party SIEM products.
  • Cortex XDR BIOCs coverage.
  • Provides Microsoft workarounds and detection capabilities.

More information:

Prevention, Hunting and Playbooks for MSDT Zero-Day (CVE-2022-30190)

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

CVE-2022-30190 - MSDT RCE




Cortex XSOARCortex XSIAM


CertificationRead more
Supported ByCortex
CreatedMay 31, 2022
Last ReleaseMay 2, 2023

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.