IRONSMITHINTEL
HIGHCVSS7.8
|
Actively Exploited
|CISA KEV|CVE-2022-30190|Auth: none — opening a document sufficient|Reboot: not required|Est. 20 minutes (Office update, no reboot required)|Manual only

KB5014699: Microsoft Office Security Update — MSDT Remote Code Execution (June 2022)

A malicious Word document executes arbitrary code via the ms-msdt URI handler without macros — works even in Protected View via the Preview Pane. Apply KB5014699; exploited by TA413 and Sandworm before a patch was available.

Published Jun 14, 2022 · Updated May 10, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

Attackers can execute arbitrary code with the permissions of the user who previews or opens the document. In corporate environments this typically means code execution as a domain user, which can be combined with privilege escalation to move laterally. The attack does not require enabling macros, bypassing a key user-awareness control.

How the attack worksNo clicks needed

Word documents can embed an OLE object that references a remote HTML file. The HTML file triggers the ms-msdt URI handler which passes attacker-controlled parameters to MSDT. The MSDT process executes a PowerShell payload with the privileges of the user who opened the document. Macros do not need to be enabled; the attack works via the Preview Pane.

Am I affected?Quick check

Probably yes if any of these apply:

All Windows users with Office
IT Security
SOC Analysts
Running Office 2013, 2016, 2019, 2021; Microsoft 365 Apps — all versions prior to June 2022 update

Affected OS versions

Windows 10Windows 11Windows Server 2016Windows Server 2019Windows Server 2022
Fixed inKB5014699 (June 2022 Security Update)
Real-world incidentsWhat we've seen

Follina was first disclosed on May 27, 2022, with an active exploitation sample. TA413 (a Chinese APT) was observed delivering malicious DOCX files targeting Tibetan organisations. Russian GRU-affiliated Sandworm used Follina against European government targets in the weeks before the June 2022 patch. The name "Follina" comes from the Italian town in the malware sample's path.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5014699

Manual remediation steps

20 minutes (Office update, no reboot required)

Immediate Mitigation — Disable MSDT URI Handler

# Back up the registry key
reg export HKEY_CLASSES_ROOT\ms-msdt "$env:USERPROFILE\Documents\msdt-backup.reg"

# Delete the ms-msdt URI handler
reg delete HKEY_CLASSES_ROOT\ms-msdt /f

# Verify it is gone
reg query HKEY_CLASSES_ROOT\ms-msdt 2>&1
# Expected: ERROR: The system was unable to find the specified registry key.

Apply the Patch (KB5014699)

    1
    Click-to-Run: File > Account > Update Options > Update Now
    1
    MSI: Apply KB5014699 from Windows Update or Microsoft Update Catalog

After Patching — Restore MSDT URI Handler

# Restore the registry key (required for Microsoft support tooling)
reg import "$env:USERPROFILE\Documents\msdt-backup.reg"

Verify Patch Applied

    1
    Outlook: File > Office Account > About (version must be >= 16.0.15225.20288)
    1
    Or check Windows Update history for KB5014699
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2022-30190MSRC AdvisoryNVDKBKB5014699
CVEs in this update1 fixes · Patch-to-CVE mapping
Patch IDCVE IDVulnerability Name / TypeCVSSReference
KB5014699CVE-2022-30190Microsoft Support Diagnostic Tool (MSDT) — msdt.exe7.8NVD ↗