Any updates on CVE-2022-30190 for detection in the Insight Agent?

1 Like

Is this already been added to the Database for manual scans as well?

Our team is currently working on a vulnerability check for CVE-2022-30190, so I can share more here once it’s fully tested and released. :+1:

In the meantime, we’ve got a blog post up here with some more details on this vulnerability. We’ll post additional info there as we have it, as well.

Hi Holly! From the console, I see the check exists - is this the check you’re referring to being worked on or is a separate one being added? Currently shows no instances for me, but I don’t want to have a false sense of security if the check hasn’t been fully implemented yet. Thanks!

1 Like

Hey Justin! Yesterday evening, we pushed a content release for InsightVM that includes our new authenticated check for this CVE. This is the check I was referring to previously, so if you use that in your scans, you should be able to determine whether any instances exist in your environment.

We’ve updated the blog post linked above to note the release of this new check, along with some additional guidance if you happen to also use InsightIDR.

1 Like

Thanks so much for the quick response, Holly! Just want to verify - will this authN check be covered by the agent or does it require an external, authN scan from a scan engine?

We have the same question.

1 Like

Holly would this be covered in the agent scan as well or only in the authenticated scans from the scan engines?


This check is available for the Insight agent as well, so you are able to use the agent for detecting this vulnerability.

There’s actually a handy way you can confirm the availability of a vulnerability check in InsightVM. A team member shared this with me and I figured it could be helpful for others.

If you get the ID of a vulnerability by searching the CVE in InsightVM (in this case, it’s msft-cve-2022-30190), you can then:

  1. In InsightVM, go to Administration > Maintenance, Storage and Troubleshooting > Run Security Console Commands
  2. In the textbox, enter show vuln msft-cve-2022-30190
  3. Click Execute

You should get a “response” that states the total number of vulnerability checks available in your instance. If that check does exist, the last column in the table called “Plugin Tags” may also have some additional info that tells you what type of check is available. In this case, if you’re fully up-to-date with the recent content release for CVE-2022-30190, you would see tags for “authenticated” and “agent”, which lets you know that you can perform the check with the agent and with authenticated scans.


Sooo awesome!

1 Like

Thank you so much for the help!

1 Like

Awesome, thank you for this share!

Got a question on this. I see the vuln popping all across the environment, including servers. Yet, the servers don’t have office installed and it seems like IVM is just looking for the status of the registry key and not considering whether or not Office is installed. Am I seeing this wrong or are these just false positives?

1 Like

Following…I see this too

CVE-2022-30190 is not an Office vulnerability, but a Windows vulnerability.

Microsoft just use Word as an example on how this can be exploited.

The check is following the vendor guidance, and is likely to change when the vendor guidance changes. But for now, with the official information available, these will be true positives.

Understood that it was msdt/Windows. Was trying to get clarification on the attack vector here. If Office was the requirement, then that changes things. Has anyone done a successful POC with Libre Office/Open Office etc yet? Or any other attack vectors for that matter.

The official advisory does not state Office as a requirement, rather an example attack vector.

For more information on the vulnerability, and in depth analysis, check out the write up on AttackerKB CVE-2022-30190 | AttackerKB

Once the mitigation efforts in place, when does a actual patch(remediation comes out) is there something else that needs to be done?

There is no information about what a patch may or may not entail. Those kind of questions will need to go to Microsoft.

Rapid7 will be following this, and will update the check and guidance as appropriate following any official vendor update.