Trustwave achieves verified MXDR solution and FastTrack ready partner status from Microsoft. Learn More

Trustwave achieves verified MXDR solution and FastTrack ready partner status from Microsoft. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Trustwave's Action Response: More MSDT Fallout with “Dogwalk”

A zero-day vulnerability has been re-disclosed that is very similar to the Follina zero-day announced last week and is actively being tracked by Trustwave SpiderLabs. The vulnerability was initially publicly disclosed back in 2020 but dismissed by Microsoft, which replied at the time:

"We are also always seeking to improve these protections. But as written this wouldn't be considered a vulnerability."

With the disclosure around Follina on May 30, security researchers started doing additional research on the Microsoft Support Diagnostic Tool (MSDT) in Windows. While conducting this activity, some older research has been resurrected.

Explanation of the Vulnerability

By creating a malicious .diagcab file and then convincing a victim to open it, an attacker could use a directory traversal attack to place arbitrary malware or other code in the victim's Windows Startup directory. This code will then be automatically executed on the next logon or reboot.

The .diagcab file is an archive file used to distribute files and executables for troubleshooting and diagnostic purposes. An XML file in the archive tells Windows what files to download and from where (whether a local directory, network share, or, more importantly, in this case, a WebDAV share on the Internet).

The main issue is that WebDAV doesn't validate the remote filename as Windows Explorer would. Specifically, the file name can contain "..\". This allows an attacker to embed a directory traversal directly in the malware's name and ensures that it ends up placed in the victim's Startup directory.

Limiting factors

  • .diagcab files are blocked by Outlook by default but may be accessible in other mail clients like Gmail or Thunderbird
  • Any attack requires user interaction with a victim being convinced to open the malicious .diagcab file
  • Overwriting files is not possible by exploiting this vulnerability


This vulnerability affects all Windows versions. This includes Windows 7 through Windows 11 and Server 2008 through Server 2022. If exploited on a system, the attacker can place any arbitrary malware on the victim system, ultimately compromising that system and providing a foothold to spread to others on a shared network.


There is no CVE issued for this vulnerability nor any indication from Microsoft that it plans to issue a patch. However, Microsoft Patch Tuesday is June 14, and a patch may be released at that time. Additionally, unofficial patches have been issued by the 0patch team but are not currently supported by Microsoft.

We recommend that administrators monitor for unexpected .diagcab on their network inbound via web or email vectors. Organizations may want to consider Security Awareness training for their staff or issuing a notification warning users about opening any files with the .diagcab extension.


The Trustwave SpiderLabs is investigating potential protections and detections we can implement.


Original 2020 write-up from Imre Rad:

Rediscovered by @j00sean:

New technical writeup and unofficial patches from 0patch:

We will update this blog post as appropriate.