CVE-2025-30399 is a high-severity vulnerability classified under CWE-426 (Untrusted Search Path) affecting Microsoft PowerShell version 7.4.0. The vulnerability arises from an untrusted search path issue in .NET and Visual Studio components leveraged by PowerShell, which allows an unauthorized attacker to execute arbitrary code over a network. Specifically, this flaw occurs when PowerShell or its underlying .NET runtime resolves and loads libraries or executables from directories that are not securely validated, potentially allowing an attacker to place malicious binaries in a location that is searched before the legitimate ones. When PowerShell executes, it may inadvertently load and run the attacker's code. The CVSS 3.1 base score of 7.5 reflects a high severity, with network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), and requiring user interaction (UI:R). The impact on confidentiality, integrity, and availability is high, indicating that successful exploitation could lead to full system compromise, data theft, or disruption of services. No known exploits are currently reported in the wild, and no patches have been linked yet, suggesting that organizations should proactively prepare for mitigation. The vulnerability affects PowerShell 7.4.0, a widely used scripting and automation tool in enterprise environments, especially in Windows-centric infrastructures and DevOps pipelines.

For European organizations, the impact of CVE-2025-30399 could be significant due to the widespread use of PowerShell in IT operations, automation, and cloud management. Successful exploitation could allow attackers to remotely execute malicious code without requiring prior authentication, potentially leading to data breaches, ransomware deployment, or lateral movement within corporate networks. This is particularly critical for sectors with high regulatory requirements such as finance, healthcare, and critical infrastructure, where confidentiality and integrity of data are paramount. The requirement for user interaction somewhat limits automated exploitation but does not eliminate risk, as phishing or social engineering could trigger the vulnerability. The high impact on availability could disrupt business continuity and critical services. Additionally, the vulnerability's presence in .NET and Visual Studio components means that development environments and build pipelines could be compromised, affecting software supply chains and increasing the risk of widespread malware propagation.

To mitigate CVE-2025-30399, European organizations should: 1) Immediately audit and restrict the directories included in the system PATH environment variable and ensure that only trusted directories are searched by PowerShell and .NET runtime. 2) Implement application whitelisting and code integrity policies (e.g., Windows Defender Application Control) to prevent execution of unauthorized binaries. 3) Educate users and administrators about the risks of executing untrusted scripts or binaries and enforce strict controls on user interaction with PowerShell scripts, especially those received via email or external sources. 4) Monitor PowerShell execution logs and network traffic for unusual activity indicative of exploitation attempts. 5) Deploy endpoint detection and response (EDR) solutions capable of detecting anomalous process creation and script execution. 6) Stay alert for official patches or updates from Microsoft and apply them promptly once available. 7) Review and harden development and build environments to prevent insertion of malicious code via compromised Visual Studio components. 8) Consider isolating critical systems and limiting network exposure of machines running PowerShell 7.4.0 to reduce attack surface.