Comment on Follina Zero Day Vulnerability from Claire Tills, Senior Research Engineer, Tenable

“Over the weekend, researchers began discussing a zero-day remote code execution vulnerability that can be exploited via Microsoft Office documents, a favored vector for threat actors. On Monday, Microsoft released some official details for CVE-2022-30190, noting that the RCE impacted its Microsoft Windows Diagnostic Tools, but did not release any patches. Microsoft has provided a mitigation recommendation.

“The RCE appears to have been exploited as far back as April, and recently came to broad public attention after a researcher began investigating a malicious sample on VirusTotal. Over the weekend, multiple researchers reproduced the issue and determined that it is a “zero click” exploit, meaning that no user interaction is required. Given the similarities between CVE-2022-30190 and CVE-2021-40444, and that researchers speculate other protocol handlers may also be vulnerable, we expect to see further developments and exploitation attempts of this issue.

“Because this is a zero click exploit, there isn’t as much individual users can do, however, a healthy dose of skepticism goes a long way. Users should always be suspicious of attachments from untrusted sources.”

A list of Tenable plugins to detect the workaround for this vulnerability can be found here.