IRONSMITHINTEL
HIGHCVSS7.8
|
Actively Exploited
|CISA KEV|CVE-2022-30190|Auth: none — opening a document sufficient|Reboot: not required|Est. 20 minutes (Office update, no reboot required)|Manual only

KB5014678: Windows 10, Windows 11 +3 more Security Update (June 2022)

A malicious Word document executes arbitrary code via the ms-msdt URI handler without macros — works even in Protected View via the Preview Pane. Apply KB5014699; exploited by TA413 and Sandworm before a patch was available.

Published Jun 14, 2022 · Updated May 29, 2026
XLinkedIn
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

Attackers can execute arbitrary code with the permissions of the user who previews or opens the document. In corporate environments this typically means code execution as a domain user, which can be combined with privilege escalation to move laterally. The attack does not require enabling macros, bypassing a key user-awareness control.

How the attack worksNo clicks needed

Word documents can embed an OLE object that references a remote HTML file. The HTML file triggers the ms-msdt URI handler which passes attacker-controlled parameters to MSDT. The MSDT process executes a PowerShell payload with the privileges of the user who opened the document. Macros do not need to be enabled; the attack works via the Preview Pane.

Am I affected?Quick check

Probably yes if any of these apply:

All Windows endpoints running Office
Workstations processing untrusted documents
RDS/Citrix sessions opening Office files
Running Office 2013, 2016, 2019, 2021; Microsoft 365 Apps — all versions prior to June 2022 update

Affected OS versions

Windows 10Windows 11Windows Server 2016Windows Server 2019Windows Server 2022
Fixed inKB5014678, KB5014692, KB5014697, KB5014699, KB5014702, KB5014710, KB5014738, KB5014741, KB5014742, KB5014746, KB5014747, KB5014748 (applies to 35 product versions) — build 10.0.10240.19325, 10.0.14393.5192+
Real-world incidentsWhat we've seen

Follina was first disclosed on May 27, 2022, with an active exploitation sample. TA413 (a Chinese APT) was observed delivering malicious DOCX files targeting Tibetan organisations. Russian GRU-affiliated Sandworm used Follina against European government targets in the weeks before the June 2022 patch. The name "Follina" comes from the Italian town in the malware sample's path.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5014678

Manual remediation steps

20 minutes (Office update, no reboot required)

Apply the Microsoft Security Update

Microsoft has released an official security update that fixes this vulnerability.

Required KB Updates

    1
    KB5014678 — https://support.microsoft.com/help/5014678
    1
    KB5014692 — https://support.microsoft.com/help/5014692
    1
    KB5014697 — https://support.microsoft.com/help/5014697
    1
    KB5014699 — https://support.microsoft.com/help/5014699
    1
    KB5014702 — https://support.microsoft.com/help/5014702
    1
    KB5014710 — https://support.microsoft.com/help/5014710
    1
    KB5014738 — https://support.microsoft.com/help/5014738
    1
    KB5014741 — https://support.microsoft.com/help/5014741
    1
    KB5014742 — https://support.microsoft.com/help/5014742
    1
    KB5014746 — https://support.microsoft.com/help/5014746
    1
    KB5014747 — https://support.microsoft.com/help/5014747
    1
    KB5014748 — https://support.microsoft.com/help/5014748

Supersedes: KB5013941, KB5013942, KB5013943, KB5013944, KB5013952, KB5013963, KB5014011, KB5014012, KB5014017

Affected Products

    1
    Windows 10 Version 1607 for 32-bit Systems
    1
    Windows 10 Version 1607 for x64-based Systems
    1
    Windows 10 Version 1809 for 32-bit Systems
    1
    Windows 10 Version 1809 for ARM64-based Systems
    1
    Windows 10 Version 1809 for x64-based Systems
    1
    Windows 10 Version 20H2 for 32-bit Systems
    1
    Windows 10 Version 20H2 for ARM64-based Systems
    1
    Windows 10 Version 21H1 for 32-bit Systems
    1
    Windows 10 Version 21H1 for ARM64-based Systems
    1
    Windows 10 Version 21H1 for x64-based Systems
    1
    Windows 10 Version 21H2 for 32-bit Systems
    1
    Windows 10 Version 21H2 for ARM64-based Systems
    1
    Windows 10 Version 21H2 for x64-based Systems
    1
    Windows 10 for 32-bit Systems
    1
    Windows 10 for x64-based Systems
    1
    Windows 11 version 21H2 for ARM64-based Systems
    1
    Windows 11 version 21H2 for x64-based Systems
    1
    Windows 7 for 32-bit Systems Service Pack 1
    1
    Windows 7 for x64-based Systems Service Pack 1
    1
    Windows 8.1 for 32-bit systems
    1
    (…15 more product versions)

Fixed Build Numbers

    1
    10.0.10240.19325
    1
    10.0.14393.5192
    1
    10.0.17763.3046
    1
    10.0.19042.1766
    1
    10.0.19043.1766
    1
    10.0.19044.1766
    1
    10.0.20348.770
    1
    10.0.22000.739
    1
    6.1.7601.25984
    1
    6.2.9200.23736
    1
    (…1 more builds)

Installation Methods

Windows Update (recommended)

1
Settings → Windows Update → Check for updates
2
The security update is offered if your system is in scope
3
Restart when prompted — a reboot IS required to complete the install

Microsoft Update Catalog (manual download)

1
Open https://catalog.update.microsoft.com
2
Search for KB5014678
3
Download the package matching your OS architecture and Windows build
4
Run the .msu installer with administrator privileges
5
Restart when prompted

WSUS / SCCM / Intune

Approve KB5014678 for the affected products in your update management console.

Microsoft Download Center Links

    1
    https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5014678
    1
    https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5014692
    1
    https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5014697
    1
    https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5014699
    1
    https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5014702
    1
    (…7 more)

Verification

Confirm the update is installed:

Get-HotFix | Where-Object { $_.HotFixID -in @('KB5014678','KB5014692','KB5014697','KB5014699','KB5014702','KB5014710','KB5014738','KB5014741','KB5014742','KB5014746','KB5014747','KB5014748') }

References

    1
    Microsoft Security Response Center: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
    1
    KB article: https://support.microsoft.com/help/5014678
    1
    KB article: https://support.microsoft.com/help/5014692
    1
    KB article: https://support.microsoft.com/help/5014697
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2022-30190
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-30190

Discovery Credit

crazyman with Shadow Chaser Group

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2022-30190MSRC AdvisoryKBKB5014678
CVEs in this update1 fixes · Patch-to-CVE mapping
Patch IDCVE IDVulnerability Name / TypeCVSSReference
KB5014678CVE-2022-30190Microsoft Support Diagnostic Tool (MSDT) — msdt.exe7.8NVD ↗

Related vulnerabilities

CRITICAL9.8

KB5002254: Windows 10, Windows 11 +3 more Security Update (March 2023)

Microsoft Outlook

CVE-2023-23397

CRITICAL9.8

KB5002265: Microsoft Word 2016 / 365 Security Update — RTF Heap Corruption (February 2023)

Microsoft Word

CVE-2023-21716

CRITICAL9.6

Zoom < 5.16.5 — RCE

Zoom

CVE-2024-24691