CVE-2025-30397

HIGH
2025-05-13 [email protected]
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 28, 2026 - 18:41 vuln.today
Added to CISA KEV
Oct 27, 2025 - 17:13 cisa
CISA KEV
PoC Detected
Oct 27, 2025 - 17:13 vuln.today
Public exploit code
CVE Published
May 13, 2025 - 17:16 nvd
HIGH 7.5

Tags

Microsoft Memory Corruption Authentication Bypass Windows 10 1507 Windows 10 1607 Windows 10 1809 Windows 10 21h2 Windows 10 22h2 Windows 11 22h2 Windows 11 23h2 Windows 11 24h2 Windows Server 2008 Windows Server 2012 Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server 2022 23h2 Windows Server 2025

Description

Access of resource using incompatible type ('type confusion') in Microsoft Scripting Engine allows an unauthorized attacker to execute code over a network.

Analysis

Microsoft Scripting Engine contains a type confusion vulnerability allowing unauthorized remote code execution over the network through crafted content processed by the scripting engine.

Technical Context

The CWE-843 type confusion allows an attacker to cause the scripting engine to misinterpret an object's type, leading to memory corruption and code execution when the engine accesses the object through the incorrect type interface.

Affected Products

['Microsoft Windows (Scripting Engine)']

Remediation

Apply May 2025 security updates. Restrict scripting engine usage through Group Policy where possible.

Priority Score

129
Low Medium High Critical
KEV: +50
EPSS: +21.3
CVSS: +38
POC: +20

Share

CVE-2025-30397 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy