Microsoft, in its May 2025 patch Tuesday update, addressed 72 vulnerabilities, including five zero-days. One zero-day vulnerability in its Scripting Engine was a memory corruption vulnerability that enables remote code execution over networks.
The flaw, designated CVE-2025-30397, was discovered by the Microsoft security team, and Microsoft confirms that the vulnerability was actively exploited in the wild.
According to the report, the vulnerability stems from a type confusion error in the Microsoft Scripting Engine, specifically affecting the legacy JScript engine (jscript.dll). This memory corruption flaw allows attackers to execute arbitrary code remotely when users click specially crafted URLs while using Microsoft Edge in Internet Explorer Mode.
Despite the retirement of Internet Explorer 11 on many platforms, the underlying MSHTML platform remains active across Windows environments, keeping systems vulnerable.
"Access of resource using incompatible type ('type confusion') in Microsoft Scripting Engine allows an unauthorised attacker to execute code over a network," Microsoft stated in its official advisory. The company classified the vulnerability as "Important" with a CVSS score of 7.5, noting that exploitation has been detected despite the high attack complexity required.
The vulnerability requires specific conditions, including user interaction and Edge configured in Internet Explorer Mode. However, successful exploitation results in complete system compromise, affecting the confidentiality, integrity, and availability of Windows systems.
A GitHub user has released a proof-of-concept exploit on GitHub, demonstrating remote code execution on Windows Server 2025 systems, exploiting the CVE-2025-30397 via Use-After-Free in JScript.dll
Microsoft's advisory emphasises that while Internet Explorer applications are deprecated, the underlying scripting platforms continue to support various applications using WebBrowser controls.
The company strongly recommends immediate patch deployment across all supported Windows versions and suggests disabling Internet Explorer Mode where possible to reduce attack surface exposure.