📄 Description (English)
Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability — A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run code with the privileges of the calling application.
🤖 AI Executive Summary
CVE-2022-30190 is a critical remote code execution vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT) that allows attackers to execute arbitrary code through malicious documents or URLs. The vulnerability has a CVSS score of 9.0 and is actively exploited in the wild, particularly through weaponized Word documents. Immediate patching is essential for all Windows-based systems across Saudi organizations.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 21, 2026 21:47
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses severe risk to Saudi banking sector (SAMA-regulated institutions), government agencies (NCA oversight), healthcare organizations, and energy sector (ARAMCO and subsidiaries). The attack vector through Office documents makes it particularly dangerous for organizations relying on email-based workflows. Telecom operators (STC, Mobily, Zain) and financial services are at highest risk due to widespread Windows deployment and document-sharing practices. Supply chain attacks targeting Saudi enterprises through compromised documents represent a critical threat.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Petroleum
Telecommunications
Education
Manufacturing
Retail and E-commerce
🎯 MITRE ATT&CK Techniques
T1566.001 - Phishing: Spearphishing Attachment
T1566.002 - Phishing: Spearphishing Link
T1204.001 - User Execution: Malicious Link
T1204.002 - User Execution: Malicious File
T1059.001 - Command and Scripting Interpreter: PowerShell
T1059.003 - Command and Scripting Interpreter: Windows Command Shell
T1106 - Native API
T1053.005 - Scheduled Task/Job: Scheduled Task
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Deploy Microsoft security updates KB5014666 (Windows 10/11) or equivalent patches immediately across all systems
2. Block MSDT URL protocol handlers (ms-msdt://) at email gateways and web proxies
3. Disable MSDT if not required: Set registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableCMD to 1
4. Implement application whitelisting to restrict MSDT execution
DETECTION RULES:
- Monitor for ms-msdt:// protocol invocations in process creation logs
- Alert on Word/Excel spawning cmd.exe or powershell.exe
- Block email attachments with embedded ms-msdt:// links
- Monitor registry modifications to MSDT-related keys
COMPENSATING CONTROLS (if patching delayed):
- Disable Office macros via Group Policy
- Restrict document opening from untrusted sources
- Implement network segmentation for critical systems
- Deploy EDR solutions with behavioral detection for MSDT exploitation patterns
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. نشر تحديثات أمان Microsoft KB5014666 (Windows 10/11) أو التصحيحات المكافئة فورًا عبر جميع الأنظمة
2. حظر معالجات بروتوكول MSDT (ms-msdt://) على بوابات البريد الإلكتروني والوكلاء
3. تعطيل MSDT إذا لم يكن مطلوبًا: تعيين السجل HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableCMD إلى 1
4. تطبيق القائمة البيضاء للتطبيقات لتقييد تنفيذ MSDT
قواعد الكشف:
- مراقبة استدعاءات بروتوكول ms-msdt:// في سجلات إنشاء العمليات
- تنبيه عند قيام Word/Excel بإنشاء cmd.exe أو powershell.exe
- حظر مرفقات البريد الإلكتروني التي تحتوي على روابط ms-msdt:// مضمنة
- مراقبة تعديلات السجل المتعلقة بمفاتيح MSDT
الضوابط البديلة (إذا تأخر التصحيح):
- تعطيل وحدات Office الماكرو عبر Group Policy
- تقييد فتح المستندات من مصادر غير موثوقة
- تطبيق تقسيم الشبكة للأنظمة الحرجة
- نشر حلول EDR مع الكشف السلوكي لأنماط استغلال MSDT
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Information Security Policies
ECC 2024 A.8.1.1 - User Endpoint Devices
ECC 2024 A.8.2.1 - Privileged Access Rights
ECC 2024 A.12.2.1 - Change Management
ECC 2024 A.12.6.1 - Management of Technical Vulnerabilities
🔵 SAMA CSF
SAMA CSF ID.BE-1 - Asset Management
SAMA CSF PR.IP-12 - Software, Firmware, and Information Integrity
SAMA CSF PR.PT-2 - Removable Media Protection
SAMA CSF DE.CM-8 - Malware Detection
🟡 ISO 27001:2022
ISO 27001:2022 A.5.23 - Information Security for Supplier Relationships
ISO 27001:2022 A.8.1 - User Endpoint Devices
ISO 27001:2022 A.12.2 - Change Management
ISO 27001:2022 A.12.6 - Management of Technical Vulnerabilities
🟣 PCI DSS v4.0
PCI DSS 6.2 - Security Patches and Updates
PCI DSS 6.4.6 - Public-Facing Web Applications
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
Microsoft:Windows