CVE-2022-30190

Vulnerability updated 7 months ago (2024-05-04T19:12:34.566Z)
Download STIX
Preview STIX
CVE-2022-30190, also known as the "Follina" vulnerability, is a high-risk software flaw in the Microsoft Support Diagnostic Tool that allows for remote code execution. This 0-day vulnerability was disclosed in May 2022 and has since been exploited by threat actors, including TA413, who weaponized it shortly after its discovery and publication. The exploitation of this vulnerability begins with a spear-phishing email containing a malicious Excel spreadsheet attachment. When opened, the vulnerability is used to download an MSI package from a remote server. Throughout the first half of 2022, TA413 not only exploited this vulnerability but also leveraged a now-patched zero-day vulnerability targeting the Sophos Firewall product (CVE-2022-1040). Additionally, they employed a newly observed custom backdoor known as LOWZERO in campaigns specifically targeting Tibetan entities. In June 2022, the group shifted their strategy and began using an exploit of the Follina vulnerability instead of malicious VBA code. The Follina vulnerability has been widely exploited and carries a high CVSS score of 7.8, indicating its severity. It has been used in various attack vectors, including being weaponized within a Microsoft Office document to drop Woody Rat malware. Alongside the PrintNightmare vulnerability (CVE-2021-34527), Follina's exploitation has been reported extensively, highlighting the significant security risk it poses to Microsoft users.
Description last updated: 2024-05-04T16:36:48.400Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Follina is a possible alias for CVE-2022-30190. Follina (CVE-2022-30190) is a software vulnerability that was discovered and exploited in the first half of 2022. It was weaponized by TA413, a malicious entity known for its cyber attacks, shortly after its discovery and publication. The vulnerability was used to target the Sophos Firewall product,
9
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Vulnerability
Exploit
Microsoft
Exploits
exploited
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lokibot Malware is associated with CVE-2022-30190. LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal informationUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT28 Threat Actor is associated with CVE-2022-30190. APT28, also known as Fancy Bear and Unit 26165 of the Russian Main Intelligence Directorate, is a threat actor linked to Russia with a history of cyber-espionage activities. The group has been involved in several high-profile attacks, including the hacking of the Democratic National Committee (DNC) Unspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Log4Shell Vulnerability is associated with CVE-2022-30190. Log4Shell is a significant software vulnerability (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) that exists in the Log4j Java-based logging utility. It was exploited by various Advanced Persistent Threat (APT) actors, including LockBit affiliates and GOLD MELODY (UNC961), to gain unauthorizedUnspecified
3
The Proxyshell Vulnerability is associated with CVE-2022-30190. ProxyShell is a vulnerability that affects Microsoft Exchange email servers, posing a significant risk to organizations worldwide. This flaw in software design or implementation allows attackers to exploit the system and gain unauthorized access. Since early 2021, Iranian government-sponsored APT acUnspecified
3
Source Document References
Information about the CVE-2022-30190 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
3 months ago
DARKReading
4 months ago
CISA
4 months ago
Securityaffairs
7 months ago
MITRE
a year ago
Securityaffairs
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Malwarebytes
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago