CVE-2025-30397

What is the Windows Scripting Engine?

The Windows Scripting Engine encompasses the legacy JScript and VBScript interpreters built into Windows — jscript.dll, jscript9.dll (JScript9), and vbscript.dll. These engines are used to execute scripts embedded in web pages (via Internet Explorer compatibility modes in Edge), Office documents (macros), Windows Script Host (.vbs, .js files), and via the SCRIPT object model. Despite Microsoft's ongoing deprecation of legacy scripting engines, they remain active on all Windows versions and are a persistent source of exploitable vulnerabilities.

Overview

CVE-2025-30397 is a type confusion vulnerability (CWE-843) in the Windows Scripting Engine that allows an unauthenticated remote attacker to achieve code execution by tricking a user into visiting a specially crafted URL. The High attack complexity (AC:H) reflects that the attacker must engineer the victim to access a specific URL — typically via phishing, malvertising, or a compromised website. Disclosed as a zero-day in the May 2025 Patch Tuesday, it was one of five simultaneously disclosed Windows zero-days that day.

Affected Versions

Technical Details

The type confusion vulnerability (CWE-843) occurs in the Windows Scripting Engine when processing JavaScript or VBScript in response to a specially crafted URL. A type confusion bug arises when the engine incorrectly assumes the type of an object — treating memory containing one data type as if it were another. An attacker crafts script that manipulates the engine's internal object type system, creating a type confusion that leads to memory corruption, from which arbitrary read/write primitives and ultimately code execution are achievable.

The Network attack vector (AV:N) reflects that the attack is delivered via a web URL — the victim visits the URL in Internet Explorer compatibility mode in Edge, or in another application that embeds or invokes the scripting engine. The High complexity (AC:H) reflects the social engineering or drive-by requirements: the attacker cannot force the victim to visit the URL.

Exploitation delivery mechanisms:

• Phishing email with a malicious link opened in Edge's IE mode
• Crafted Office document containing an embedded script or iframe
• Malicious advertisement or watering hole redirect
• Windows Script Host .js or .vbs file sent as email attachment

Discovery

Microsoft Threat Intelligence identified active exploitation before May 2025 Patch Tuesday. The specific reporter was not publicly disclosed.

Exploitation Context

Confirmed zero-day exploitation before May 13, 2025. Type confusion vulnerabilities in the Windows Scripting Engine have historically been favored by nation-state actors (North Korean, Chinese, and Russian threat groups) for targeted attacks via spear-phishing campaigns where victims are directed to attacker-controlled URLs. The AC:H score limits the exploitation to targeted scenarios rather than mass exploitation.

Remediation

1. Apply the May 2025 cumulative update for your Windows version. The CISA deadline was June 3, 2025.
2. Disable Internet Explorer compatibility mode in Edge if not operationally required — the legacy scripting engine is most commonly reached through IE mode.
3. Block .hta, .js, and .vbs file attachments at the email gateway — these invoke the Windows Scripting Host and the vulnerable scripting engine.
4. Configure Windows Script Host restrictions via Group Policy (Windows Components → Windows Script Host) to prevent unintended script execution.
5. Enable Attack Surface Reduction (ASR) rules that block JavaScript/VBScript from downloading and executing content from the internet.