⚠ Actively exploited
Added to CISA KEV on 2025-05-13. Federal agencies required to patch by 2025-06-03. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2025-30397Type Confusion in Microsoft Windows 10 Version 1507

CWE-843Type Confusion16 documents13 sources
Severity
7.5HIGHNVD
EPSS
21.3%
top 4.31%
CISA KEV
KEV
Added 2025-05-13
Due 2025-06-03
Exploit
PoC available
Public exploit / PoC exists
Affected products
27
Microsoft Windows 10 Version 1507Microsoft Windows 10 Version 1607Microsoft Windows 10 Version 1809+24 more
Timeline
PublishedMay 13
KEV addedMay 13
KEV dueJun 3
Latest updateJun 5
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Access of resource using incompatible type ('type confusion') in Microsoft Scripting Engine allows an unauthorized attacker to execute code over a network.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages26 packages

NVDmicrosoft/windows< 10.0.14393.8066+5
NVDmicrosoft/windows_10_1507< 10.0.10240.21014
NVDmicrosoft/windows_10_1607< 10.0.14393.8066
NVDmicrosoft/windows_10_1809< 10.0.17763.7314
NVDmicrosoft/windows_10_21h2< 10.0.19044.5854

🔴Vulnerability Details

3
GHSA
GHSA-r7hj-5f27-q8xw: Access of resource using incompatible type ('type confusion') in Microsoft Scripting Engine allows an unauthorized attacker to execute code over a net2025-05-13
CVEList
Scripting Engine Memory Corruption Vulnerability2025-05-13
VulnCheck
Microsoft Windows Scripting Engine Type Confusion Vulnerability2025

💥Exploits & PoCs

1
Exploit-DB
Microsoft Windows Server 2025 JScript Engine - Remote Code Execution (RCE)2025-06-05

📋Vendor Advisories

2
Microsoft
Scripting Engine Memory Corruption Vulnerability2025-05-13
CISA
Microsoft Windows Scripting Engine Type Confusion Vulnerability2025-05-13

🕵️Threat Intelligence

9
Krebs
Patch Tuesday, May 2025 Edition2025-05-14
Krebs
Patch Tuesday, May 2025 Edition2025-05-14
Tenable
Microsoft’s May 2025 Patch Tuesday Addresses 71 CVEs (CVE-2025-32701, CVE-2025-32706, CVE-2025-30400)2025-05-13
Qualys
Microsoft and Adobe Patch Tuesday, May 2025 Security Update Review2025-05-13
Qualys
Microsoft and Adobe Patch Tuesday, May 2025 Security Update Review | Qualys2025-05-13
CVE-2025-30397 — Type Confusion in Microsoft | cvebase