Microsoft Office zero-day exploited in PowerShell attacks (31st May 2022)

Ref# AL2022_34 | Date: May 31st 2022


A new Microsoft Office zero-day vulnerability is being exploited in attacks that employ the Microsoft Diagnostic Tool (MSDT) to execute malicious PowerShell instructions merely by opening a Word document. 


On Monday, May 30, 2022, Microsoft addressed a vulnerability regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows. This vulnerability is being tracked as CVE-2022-30190  and this flaw impacts all Windows versions still receiving security updates (Windows 7+ and Server 2008+). 

How it works

When MSDT is called using the URL protocol from a calling program like Word, a remote code execution vulnerability exists. An attacker who successfully exploits this flaw can execute arbitrary code with the calling application”s privileges. In the context allowed by the user”s permissions, the attacker can then install applications, read, alter, or remove data, and create new accounts. 


Administrators and users should disable the MSDT URL protocol. Disabling MSDT URL protocol prevents troubleshooters from being launched as links including links throughout the operating system. Malicious actors use this tool to start troubleshooters and run code on susceptible systems. 

To disable the MSDT URL Protocol 

  • Run Command Prompt as Administrator. 

  • To back up the registry key, execute the command reg export HKEY_CLASSES_ROOTms-msdt filename 

  • Execute the command reg delete HKEY_CLASSES_ROOTms-msdt /f 

How to undo the workaround 

  • Run Command Prompt as Administrator. 

  • To back up the registry key, execute the command reg import filename 

Microsoft Defender Antivirus 1.367.719.0 or newer now also comes with detections for vulnerability exploitation under the following signatures: 







It is advised to ensure that all devices are updated with the most recent patches. For further information on this vulnerability, you can follow this URL: 

The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.    

PDF Download: Microsoft Office zero-day exploited in PowerShell attacks.pdf