Security News > 2022 > May > Windows MSDT zero-day now exploited by Chinese APT hackers

Chinese-linked threat actors are now actively exploiting a Microsoft Office zero-day vulnerability to execute malicious code remotely on Windows systems.
This Microsoft Windows Support Diagnostic Tool remote code execution flaw impacts all Windows client and server platforms still receiving security updates.
The TA413 APT group, a hacking outfit linked to Chinese state interests, has adopted this vulnerability in attacks against their favorite target, the international Tibetan community.
As observed on May 30 by Proofpoint security researchers, they're now using CVE-2022-30190 exploits to execute malicious code via the MSDT protocol when targets open or preview Word documents delivered in ZIP archives.
You can block attacks exploiting CVE-2022-30190 by disabling the MSDT URL protocol malicious actors abuse to launch troubleshooters and execute code on vulnerable systems.
Today, CISA also urged admins and users to disable the MSDT protocol on their Windows devices after Microsoft reported active exploitation of this vulnerability in the wild.
News URL
Related news
- Chinese hackers breach US local governments using Cityworks zero-day (source)
- Microsoft Credits EncryptHub, Hacker Behind 618+ Breaches, for Disclosing Windows Flaws (source)
- Microsoft: Windows CLFS zero-day exploited by ransomware gang (source)
- Microsoft fixes actively exploited Windows CLFS zero-day (CVE-2025-29824) (source)
- PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware (source)
- Chinese Hackers Target Linux Systems Using SNOWLIGHT Malware and VShell Tool (source)
- Chinese hackers target Russian govt with upgraded RAT malware (source)
- Chinese Hackers Abuse IPv6 SLAAC for AitM Attacks via Spellbinder Lateral Movement Tool (source)
- Commvault Confirms Hackers Exploited CVE-2025-3928 as Zero-Day in Azure Breach (source)
- Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day to Breach U.S. Organization (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-06-01 | CVE-2022-30190 | Unspecified vulnerability in Microsoft products A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. | 0.0 |