Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Chinese Threat Actors Exploiting ‘Follina’ Vulnerability

The Windows zero-day vulnerability identified as Follina and CVE-2022-30190 is being exploited in an increasing number of attacks, including by a Chinese APT group.

The Windows zero-day vulnerability identified as Follina and CVE-2022-30190 is being exploited in an increasing number of attacks, including by a Chinese APT group.

The existence of the flaw, which can be exploited for remote code execution, came to light on May 27, when a malicious document exploiting it was spotted in the wild. The vulnerability was dubbed Follina by researcher Kevin Beaumont, one of the first members of the cybersecurity community to analyze the exploit.

The security hole is related to the Microsoft Support Diagnostic Tool (MSDT), with the exploit being triggered when the targeted user opens a specially crafted document.

While a patch has yet to be released, Microsoft noted that Protected View, a feature designed to block these types of attacks, should protect users. However, researchers determined that if the attacker delivers the exploit as an RTF file, the exploit is triggered when a preview of the file is viewed in Explorer, and Protected View does not step into action.

Huntress warned in a blog post that threat actors can exploit the flaw to “elevate their own privileges and potentially gain ‘god mode’ access to the affected environment.”

Microsoft has known about the vulnerability since April, when it was notified by a member of Shadow Chaser Group, a research team focusing on APT hunting and analysis.

The researcher who informed Microsoft said the tech giant initially classified it as “not a security related issue,” despite being warned that a sample exploiting it had been seen in the wild. After a different researcher reported seeing a document exploiting the vulnerability on May 27, Microsoft assigned it a CVE, released mitigation guidance, and confirmed that it is an actively exploited zero-day vulnerability.

Exploitation works against Office Pro Plus, Office 2013, Office 2016, Office 2019 and Office 2021, but some evidence suggests Microsoft may have been trying to address the issue before its existence was made public.

An increasing number of files exploiting the Follina vulnerability have been found in the wild. Exploitation appears to have started in April, with users in India and Russia being targeted in attacks leveraging various themes, including interview requests and extortion.

Proofpoint reported on Tuesday that a threat actor tracked as TA413, which was previously linked to China, has exploited the vulnerability in its attacks on the Tibetan community. TA413 has targeted Tibet for years and the attacks involving the Follina zero-day use the “Women Empowerments Desk” of the Central Tibetan Administration as a lure.

The SANS Institute has also discovered a document exploiting CVE-2022-30190 to deliver malware. The file’s name is written in Chinese and translates to “Mobile phone room to receive orders – channel quotation – the lowest price on the whole network.”

Official patches are not available, but there are workarounds and mitigations, both from Microsoft and the cybersecurity community. Security firms have updated their products to detect attacks, but as more information and PoC exploits become available, there will likely be more exploitation attempts.

The US Cybersecurity and Infrastructure Security Agency (CISA) is advising organizations to review the guidance from Microsoft.

In his blog post on Follina, Beaumont pointed out that there have been several events leading up to this moment over the past couple of years. Research describing how MSDT can be abused for code execution was published in August 2020 and March 2022. In addition, in 2021, Microsoft stealthily patched a similar vulnerability in Teams.

Related: Patch Tuesday: Microsoft Warns of New Zero-Day Being Exploited

Related: Microsoft Patches 128 Windows Flaws, New Zero-Day Reported by NSA

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.