CVE-2022-34713

What is the Windows Support Diagnostic Tool (MSDT)?

The Microsoft Support Diagnostic Tool (MSDT) is a Windows utility that allows the operating system and support personnel to collect diagnostic information. It supports the ms-msdt:// URL protocol handler, enabling applications and web pages to invoke diagnostic workflows. MSDT became a prominent attack surface in 2022, first via Follina (CVE-2022-30190), which exploited MSDT via Word documents, and then via DogWalk (CVE-2022-34713), which exploited it via .diagcab diagnostic cabinet files.

Overview

CVE-2022-34713, nicknamed DogWalk, is a path traversal vulnerability in the Windows MSDT that allows a malicious .diagcab (diagnostic cabinet) file to place an executable in the Windows Startup folder. When a user opens the crafted .diagcab file, the malicious executable is silently dropped to the Startup directory — and executes the next time the user logs in. DogWalk was originally reported to Microsoft in January 2020 and initially declined as "not a security vulnerability"; it was patched in August 2022 after public pressure following Follina.

Affected Versions

Technical Details

The Windows MSDT diagnostic cabinet format (.diagcab) packages diagnostic scripts and resources. DogWalk exploits a path traversal flaw in how MSDT extracts and processes files from the cabinet:

• Mechanism: A crafted .diagcab file includes a resource with a relative path traversal (../../) that causes MSDT to write a file outside the intended extraction directory — specifically into %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
• Execution: The file is not executed immediately; it runs the next time the user logs in to Windows
• Attack delivery: Delivered as an email attachment, download link, or embedded in a web page leveraging browser download and automatic extraction
• User interaction: Required — the victim must open the .diagcab file; Windows does not warn that .diagcab files can be dangerous
• CVSS note: The score's "Local" attack vector reflects that the file must be executed locally; in practice, remote delivery via email or web is trivial

DogWalk is distinct from Follina (CVE-2022-30190) but shares the same MSDT attack surface. Follina triggered MSDT from Word documents via the ms-msdt:// URL protocol; DogWalk uses the cabinet file extraction path.

Discovery

First discovered and reported to Microsoft in January 2020 by security researcher imre (Twitter: @j00sean). Microsoft initially assessed the issue as not meeting the security servicing bar. The vulnerability regained public attention in May–June 2022 alongside the Follina zero-day, with Kevin Beaumont (DoublePulsar) publishing renewed analysis. Microsoft reversed course and patched it in August 2022.

Exploitation Context

CISA added CVE-2022-34713 to KEV on the same day as the August 2022 Patch Tuesday patch, indicating confirmation of active exploitation in the wild. The .diagcab file delivery vector is effective because:

• Windows does not display a security warning when a .diagcab file is downloaded
• The Startup folder persistence mechanism is stealthy — no visible effect until next login
• The file extension is obscure enough that many users and email security products do not flag it

Remediation

1. Apply the August 2022 Patch Tuesday cumulative update for your Windows version
2. If immediate patching is not possible, block .diagcab file execution via file type restriction rules in email gateways and endpoint security tools
3. Disable the MSDT URL protocol handler as a workaround (note: this also disables Follina mitigation): reg delete "HKEY_CLASSES_ROOT\ms-msdt" /f
4. Block the MSDT protocol in browser settings and email security policies
5. Review Windows Startup folders for unexpected executables: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\