Malicious actors are using a previously undisclosed zero-day, zero-click vulnerability in Microsoft Office to execute PowerShell commands without user interaction, according to security researchers.
The vulnerability – discovered by security researcher nao_sec on 27 May and later dubbed CVE-2022-30190 by Microsoft – leverages the Microsoft Diagnostic Tool (MSDT), which is used to execute the PowerShell code after calling a HTML file from a remote URL.