Follina. Unpatched Microsoft Office zero-day vulnerability exploited in the wild

Follina. Unpatched Microsoft Office zero-day vulnerability exploited in the wild

A zero-day vulnerability in Microsoft Office is being exploited in boobytrapped Word documents to remotely execute code on victims’ PCs.

The vulnerability, which is dubbed “Follina” and appears to exploit how Office products work with MSDT (Microsoft Diagnostics Tool), was initially brought to the public’s attention by Japanese security researchers on Twitter three days ago, and can be exploited even if macros are disabled in Microsoft Office.

It’s believed that the flaw was initially reported to Microsoft’s security response team on April 12 2022, after Word documents – which pretended to be from Russia’s Sputnik news agency offering recipients a radio interview – were found to abuse the flaw.

Sputnik doc

Nine days later, Microsoft appears to have decided that the flaw didn’t not represent a security issue, and declared the issue closed.

Unfortunately, that seems to have been a poor decision by Microsoft’s security team.

Security researcher Kevin Beaumont reports that the vulnerability works on the latest versions of Microsoft Office, even when fully patched.

Sign up to our free newsletter.
Security news, advice, and tips.

Worryingly, it has also been found that it’s possible to exploit the vulnerability even in “zero click” situations, requiring no user interaction other than previewing a boobytrapped file.

The name “Follina” was chosen for the vulnerability by Beaumont after he spotted a sample of a malicious document uploaded to VirusTotal contained the numerical string “0438” as part of its filename. 0438 is the telephone area code for the municipality of Follina, northwest of Venice, in Italy.

Proof, if you ever needed it, that it can be hard coming up with the name of a vulnerability.

Organisations may be able to defend themselves from attack, while they wait for an official patch from Microsoft, by tweaking their computers’ Registry keys to unregister the ms-msdt protocol. Although, who knows what else that will break.

Anyway, it’s Memorial Day in the United States today. So I doubt many people are listening, let alone defending their computers from potential attack.

The good news is that, so far at least, exploitation of the flaw appears to be limited. Nonetheless, it would be good if Microsoft could fix this sooner rather than later.

For more information and possible mitigations, be sure to check out the blog posts by Kevin Beaumont and security firm Huntress.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.


Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.