CVE-2025-30397

Q: What is the severity of CVE-2025-30397?

CVE-2025-30397 has a CVSS score of 7.5 (HIGH). A type confusion vulnerability in Microsoft Scripting Engine allows remote attackers to execute arbitrary code by sending specially crafted network requests. This affects systems running vulnerable versions of Microsoft software that use the scripting engine. Attackers can exploit this without authentication over a network connection.

7.5 HIGH CISA KEV

Remote Code Execution

📋 TL;DR

A type confusion vulnerability in Microsoft Scripting Engine allows remote attackers to execute arbitrary code by sending specially crafted network requests. This affects systems running vulnerable versions of Microsoft software that use the scripting engine. Attackers can exploit this without authentication over a network connection.

💻 Affected Systems

Products:

Microsoft Scripting Engine

Versions: Specific versions not detailed in provided references; check Microsoft advisory for exact affected versions.

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems where Microsoft Scripting Engine is enabled and accessible via network protocols.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Remote code execution with attacker gaining the same privileges as the scripting engine process, typically leading to lateral movement and data exfiltration.

🟢

If Mitigated

Attack blocked at network perimeter or by application controls, with no successful exploitation despite attempts.

🌐 Internet-Facing: HIGH - Exploitable over network without authentication, making internet-exposed systems primary targets.

🏢 Internal Only: MEDIUM - Still exploitable over internal networks but requires attacker to have internal access first.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

CISA has added this to Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific patch versions

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30397

Restart Required: Yes

Instructions:

1. Apply latest Microsoft security updates via Windows Update or WSUS. 2. Restart affected systems. 3. Verify patch installation.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to systems using Microsoft Scripting Engine

Scripting Engine Disablement

windows

Disable Microsoft Scripting Engine if not required

reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_SCRIPTING" /v "*" /t REG_DWORD /d 1 /f

🧯 If You Can't Patch

Implement strict network access controls to limit exposure
Deploy application control solutions to block unauthorized script execution

🔍 How to Verify

Check if Vulnerable:

Check system against Microsoft Security Update Guide or run vulnerability scanner with CVE-2025-30397 detection

Check Version:

wmic qfe list full | findstr /i "CVE-2025-30397"

Verify Fix Applied:

Verify Windows Update history shows relevant security patch installed and system version matches patched version

📡 Detection & Monitoring

Log Indicators:

Unusual script execution events
Process creation from scripting engine with suspicious parameters
Network connections to scripting engine ports from unexpected sources

Network Indicators:

Traffic patterns indicating exploitation attempts on scripting engine ports
Anomalous network requests to scripting services

SIEM Query:

source="windows" AND (event_id=4688 OR event_id=4104) AND process_name="*script*" AND command_line="*suspicious*"

📊 Metadata

CVE ID: CVE-2025-30397

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-843

EPSS Score: 21.27% exploit probability (95.5th percentile)

CISA KEV: Actively Exploited added May 13, 2025

Published: May 13, 2025

Last Updated: October 27, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30397 Vendor Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-30397-type-confusion-vulnerability-in-microsoft-scripting-engine-detection-script Exploit,Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-30397-type-confusion-vulnerability-in-microsoft-scripting-engine-mitigation-script Mitigation,Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30397 US Government Resource

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2008 by Microsoft