CVE-2025-54100

HIGH

Windows PowerShell - Unauthenticated Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2025-54100. PoCs published by osman1337-security, ThemeHackers, xiaoLvChen.

AI-analyzed exploit summary The repository provides a detailed technical analysis of CVE-2025-54100, which involves PowerShell's `Invoke-WebRequest` cmdlet executing JavaScript when `UseBasicParsing` is not specified, leading to XSS and potential RCE. It includes a proof-of-concept demonstrating the vulnerability and discusses the lifecycle of PowerShell versions affected.

Description

Improper neutralization of special elements used in a command ('command injection') in Windows PowerShell allows an unauthorized attacker to execute code locally.

Exploits (5)

nomisec WRITEUP 24 stars
by osman1337-security · poc
https://github.com/osman1337-security/CVE-2025-54100

The repository provides a detailed technical analysis of CVE-2025-54100, which involves PowerShell's `Invoke-WebRequest` cmdlet executing JavaScript when `UseBasicParsing` is not specified, leading to XSS and potential RCE. It includes a proof-of-concept demonstrating the vulnerability and discusses the lifecycle of PowerShell versions affected.

Classification
Writeup 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: PowerShell 5.1 (default on Windows 11, Server 2022/2025)
No auth needed
Prerequisites: Host a website with a malicious JavaScript payload · Victim executes `curl` (Invoke-WebRequest) without `UseBasicParsing`
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 24 stars
by ThemeHackers · poc
https://github.com/ThemeHackers/CVE-2025-54100

This repository contains a functional Proof-of-Concept (PoC) for CVE-2025-54100, demonstrating Remote Code Execution (RCE) in Windows PowerShell 5.1 via malicious HTML parsing. The FastAPI server serves a crafted HTML payload that exploits the MSHTML-based parsing vulnerability in `Invoke-WebRequest` when `-UseBasicParsing` is not used.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows PowerShell 5.1 (Windows 10/11 and Windows Server 2008-2025)
No auth needed
Prerequisites: Vulnerable Windows host with PowerShell 5.1 · Network access to the attacker's server · Victim must execute `Invoke-WebRequest` without `-UseBasicParsing`
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 1 stars
by xiaoLvChen · poc
https://github.com/xiaoLvChen/CVE-2025-54100

This repository contains a functional proof-of-concept exploit for CVE-2025-54100, demonstrating remote code execution (RCE) in PowerShell 5.1 via malicious HTML parsing when `Invoke-WebRequest` is used without the `-UseBasicParsing` parameter. The exploit leverages MSHTML-based parsing to execute ActiveX objects, such as `WScript.Shell` or `Shell.Application`, to launch arbitrary commands (e.g., `calc.exe`).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows PowerShell 5.1 (Windows 10/11, Windows Server 2008-2025)
No auth needed
Prerequisites: Victim must use `Invoke-WebRequest` without `-UseBasicParsing` · MSHTML-based parsing must be enabled (default in PowerShell 5.1) · ActiveX controls must be allowed in Internet Explorer settings
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SUSPICIOUS
by R3lva · poc
https://github.com/R3lva/CVE-2025-54100-BYPASS-

The repository claims to provide a PoC for CVE-2025-54100 but lacks actual exploit code, instead describing a vague batch script approach without technical details. It references external links for context but does not include functional code or a detailed analysis.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: Windows PowerShell
No auth needed
Prerequisites: user execution of a crafted script
devstral-2 · analyzed Feb 23, 2026 Full analysis →
gitlab WORKING POC
by ThemeHackers · poc
https://gitlab.com/ThemeHackers/CVE-2025-54100

This repository contains a functional Proof-of-Concept (PoC) for CVE-2025-54100, demonstrating Remote Code Execution (RCE) in Windows PowerShell 5.1 via malicious HTML parsing. The FastAPI server serves a crafted HTML payload that exploits MSHTML-based parsing to execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows PowerShell 5.1
No auth needed
Prerequisites: Python 3.10+ · FastAPI · Uvicorn · Vulnerable Windows host with PowerShell 5.1
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.8
EPSS 0.0147
EPSS Percentile 70.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-77
Status published
Products (40)
Microsoft/Windows 10 Version 1607 10.0.14393.0 - 10.0.14393.8688
Microsoft/Windows 10 Version 1809 10.0.17763.0 - 10.0.17763.8146
Microsoft/Windows 10 Version 21H2 10.0.19044.0 - 10.0.19044.6691
Microsoft/Windows 10 Version 22H2 10.0.19045.0 - 10.0.19045.6691
Microsoft/Windows 11 version 22H3 10.0.22631.0 - 10.0.22631.6345
Microsoft/Windows 11 Version 23H2 10.0.22631.0 - 10.0.22631.6345
Microsoft/Windows 11 Version 24H2 10.0.26100.0 - 10.0.26100.7462
Microsoft/Windows 11 Version 25H2 10.0.26200.0 - 10.0.26200.7462
Microsoft/Windows Server 2008 R2 Service Pack 1 6.1.7601.0 - 6.1.7601.28064
Microsoft/Windows Server 2008 R2 Service Pack 1 (Server Core installation) 6.1.7601.0 - 6.1.7601.28064
... and 30 more
Published Dec 09, 2025
Tracked Since Feb 18, 2026