CVE-2025-30397 is a high-severity vulnerability classified under CWE-843 (Access of Resource Using Incompatible Type, commonly known as 'type confusion') affecting Microsoft Windows 10 Version 1809 (build 10.0.17763.0). The flaw exists within the Microsoft Scripting Engine, a core component responsible for parsing and executing script code in various Windows environments. The vulnerability allows an unauthorized attacker to execute arbitrary code remotely over a network. Specifically, the type confusion issue arises when the scripting engine incorrectly handles data types, leading to improper access or manipulation of memory resources. This can be exploited by crafting malicious scripts or payloads that, when processed by the vulnerable scripting engine, result in the execution of attacker-controlled code. The CVSS v3.1 base score is 7.5, indicating a high severity level. The vector string (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C) reveals that the attack vector is network-based (AV:N), requires high attack complexity (AC:H), no privileges (PR:N), but does require user interaction (UI:R). The scope is unchanged (S:U), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). The exploit code is functional (E:F), and the vulnerability is officially confirmed and publicly known (RL:O, RC:C). No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was reserved in March 2025 and published in May 2025. Given the nature of the scripting engine and its integration in Windows 10, this vulnerability could be triggered via malicious web content, email attachments, or network-delivered scripts, making it a significant risk for endpoint compromise and lateral movement within networks.

For European organizations, this vulnerability poses a substantial risk due to the widespread use of Windows 10 Version 1809 in enterprise environments, especially in legacy systems that have not been upgraded. Successful exploitation could lead to full system compromise, allowing attackers to execute arbitrary code remotely without requiring privileges but needing user interaction, such as opening a malicious document or visiting a compromised website. This can result in data breaches, ransomware deployment, espionage, or disruption of critical services. The high impact on confidentiality, integrity, and availability means sensitive corporate data, intellectual property, and operational continuity could be severely affected. Sectors such as finance, healthcare, government, and critical infrastructure in Europe are particularly vulnerable due to their reliance on Windows-based systems and the potential high value of their data. Additionally, the network-based attack vector increases the risk of rapid propagation within corporate networks if exploited. The absence of known exploits in the wild currently provides a window for mitigation, but the confirmed functional exploit code and public disclosure increase the urgency for European organizations to act promptly.

Given the lack of an official patch at the time of this report, European organizations should implement immediate compensating controls. These include: 1) Restricting or disabling scripting engine components where feasible, especially in browsers and email clients, to reduce the attack surface. 2) Employing application whitelisting and script-blocking policies to prevent execution of unauthorized or suspicious scripts. 3) Enhancing email filtering and web gateway protections to block malicious attachments and URLs that could deliver exploit payloads. 4) Educating users to recognize and avoid interacting with suspicious links or documents, as user interaction is required for exploitation. 5) Utilizing endpoint detection and response (EDR) solutions to monitor for anomalous script execution or memory manipulation indicative of exploitation attempts. 6) Planning and accelerating upgrades from Windows 10 Version 1809 to supported and patched versions to eliminate exposure. 7) Network segmentation to limit lateral movement if a compromise occurs. Once Microsoft releases a patch, organizations must prioritize its deployment, including testing and rapid rollout across all affected systems. Regular vulnerability scanning and asset inventory updates should be conducted to identify and remediate any remaining vulnerable endpoints.