CVE-2025-30397

HIGH KEV

Microsoft Windows Scripting Engine - Remote Code Execution via Type Confusion

Title source: llm

Exploitation Summary

CVE-2025-30397 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 13, 2025. EIP tracks 4 public exploits from researchers including Mohammed Idrees Banyamer, mbanyamer, Leviticus-Triage.

AI-analyzed exploit summary This exploit leverages a Use-After-Free vulnerability in the JScript engine (jscript.dll) of Windows Server 2025 via heap spraying to achieve remote code execution. The shellcode executes calc.exe as a demonstration.

Description

Access of resource using incompatible type ('type confusion') in Microsoft Scripting Engine allows an unauthorized attacker to execute code over a network.

Exploits (4)

exploitdb WORKING POC

by Mohammed Idrees Banyamer · pythonremotewindows

https://www.exploit-db.com/exploits/52315

View Code ZIP pw:eip

This exploit leverages a Use-After-Free vulnerability in the JScript engine (jscript.dll) of Windows Server 2025 via heap spraying to achieve remote code execution. The shellcode executes calc.exe as a demonstration.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows Server 2025 (build 25398 and prior) with IE11

No auth needed

Prerequisites: Vulnerable Windows Server 2025 with IE11 · Network access to the target

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 69 stars

by mbanyamer · client-side

https://github.com/mbanyamer/CVE-2025-30397---Windows-Server-2025-JScript-RCE-Use-After-Free-

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2025-30397, a Use-After-Free vulnerability in the JScript engine (jscript.dll) affecting Windows Server 2025. The exploit leverages heap spraying to achieve remote code execution, demonstrated by launching calc.exe via Internet Explorer 11.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Windows Server 2025 (build 25398 and prior) with Internet Explorer 11

No auth needed

Prerequisites: Vulnerable Windows Server 2025 with Internet Explorer 11 · Network access to the target

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github SUSPICIOUS 13 stars

by Leviticus-Triage · pythonpoc

https://github.com/Leviticus-Triage/ChromSploit-Framework

View Code ZIP pw:eip

The repository appears to be a framework for Chrome exploits but lacks actual exploit code for CVE-2025-30397. It contains extensive documentation, contribution guidelines, and placeholder structures but no functional PoC or technical details specific to the CVE.

Classification

Suspicious 90%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: Google Chrome (version unspecified)

No auth needed

Prerequisites: None specified

devstral-2 · analyzed Feb 19, 2026 Full analysis →

github WORKING POC

by manus-use · postscriptpoc

https://github.com/manus-use/cve-pocs/tree/main/microsoft-windows-CVE-2025-30397

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-32433, targeting Erlang/OTP SSH. The exploit demonstrates pre-authentication command execution via crafted SSH packets, leveraging a vulnerability in the SSH protocol handling.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Erlang/OTP SSH (OTP-22.3.4.17)

No auth needed

Prerequisites: Network access to the target SSH port (2222) · Vulnerable Erlang/OTP version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory

https://www.vicarius.io/vsociety/posts/cve-2025-30397-type-confusion-vulnerability-in-microsoft-scripting-engine-detection-script

Mitigation, Third Party Advisory

https://www.vicarius.io/vsociety/posts/cve-2025-30397-type-confusion-vulnerability-in-microsoft-scripting-engine-mitigation-script

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30397

Vendor Advisory vendor-advisory patch

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30397

Scores

CVSS v3 7.5

EPSS 0.2074

EPSS Percentile 95.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2025-05-13

VulnCheck KEV 2025-05-13

ENISA EUVD EUVD-2025-14411

CWE

CWE-843

Status published

Products (17)

microsoft/windows_10_1507 < 10.0.10240.21014

microsoft/windows_10_1607 < 10.0.14393.8066

microsoft/windows_10_1809 < 10.0.17763.7314 (2 CPE variants)

microsoft/windows_10_21h2 < 10.0.19044.5854

microsoft/windows_10_22h2 < 10.0.19045.5854

microsoft/windows_11_22h2 < 10.0.22621.5335

microsoft/windows_11_23h2 < 10.0.22631.5335

microsoft/windows_11_24h2 < 10.0.26100.3981

microsoft/windows_server_2008

microsoft/windows_server_2008 r2 sp1

... and 7 more

Published May 13, 2025

KEV Added May 13, 2025

Tracked Since Feb 18, 2026