Threats / Microsoft / CVE-2022-30190
CVE-2022-30190
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
Microsoft Windows vulnerability
Remote code execution in Microsoft Windows MSDT when invoked via URL protocol from applications like Word, allowing attackers to execute code with caller privileges.
Verdict
Today item, not a backlog item.
A URL protocol handler vulnerability enabling remote code execution through document-based attack vectors. Exploitation requires user interaction but offers direct code execution at application privilege level, making it suitable for widespread campaigns.
01
Is it exploitable?
— the evidence, ranked above the scoreExploit available
Public proof-of-concept exploit code is cataloged for this vulnerability.We link the existence of the exploit; we do not host or redistribute payloads.
Reported exploitation
57 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-06-14), flagged for known ransomware use.
Probability (EPSS)
EPSS 0.99374 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: Microsoft, Windows. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-610 CWE-610.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
WeaknessCWE-610 · CWE-610
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No confirmed (advisory-backed) threat-actor attribution is established for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I craft a malicious document or web link containing a specially formatted URL that invokes MSDT through the URL protocol handler.
Business
Users receive seemingly legitimate documents or links that appear benign but trigger code execution when opened.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I distribute the malicious content via email, messaging, or web hosting to reach target organizations at scale.
Business
Attack surface expands across email gateways and web browsing, affecting multiple users without requiring sophisticated delivery infrastructure.
3
Lateral reach — past segmentation narrative 3
Attacker
When a user opens the document in Word or clicks the link, MSDT executes my payload with the privileges of the calling application.
Business
Attackers gain initial access to systems with user-level or application-level privileges, establishing footholds for lateral movement.
4
Data at risk — exfiltration narrative 4
Attacker
I use this execution context to deploy ransomware, steal credentials, or establish persistent access mechanisms.
Business
Organizations face data exfiltration, encryption attacks, and extended remediation efforts across compromised endpoints.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05