CVE-2025-54100: PowerShell Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 7.8)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Publicly Disclosed

Yes

Patch Tuesday

2025-Dec

Released

2025-12-09

Last Updated

2025-12-18

EPSS Score

0.35% (percentile: 57.7%)

Description

Improper neutralization of special elements used in a command ('command injection') in Windows PowerShell allows an unauthorized attacker to execute code locally.

FAQ

Is there more information I need to know after I install the Security Updates to address this vulnerability? After you install the updates, when you use the Invoke-WebRequest command you will see the following confirmation prompt with security warning of script execution risk: Security Warning: Script Execution Risk Invoke-WebRequest parses the content of the web page. Script code in the web page might be run when the page is parsed. RECOMMENDED ACTION: Use the -UseBasicParsing switch to avoid script code execution. Do you want to continue? For additional details, see KB5074596: PowerShell 5.1: Preventing script execution from web content. According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer. After I install security update 5074204 or 5074353 will a reboot be required? Yes. After you install Security Update 5074204 or 5074353, you will be required to reboot your system. Note that your PowerShell session itself does not require a reboot unless a particular utility DLL is loaded in memory during the session. Consistent with previous updates, only the presence of certain DLLs in use might trigger a reboot prompt.

Detection & Weaponization (1 sources)

Maturity: Exploit

• GitHub PoC: 4 repositories

Affected Products (35)

Windows

• Windows 10 Version 1809 for 32-bit Systems
• Windows 10 Version 1809 for x64-based Systems
• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server 2022
• Windows Server 2022 (Server Core installation)
• Windows 10 Version 21H2 for 32-bit Systems
• Windows 10 Version 21H2 for ARM64-based Systems
• Windows 10 Version 21H2 for x64-based Systems
• Windows Server 2025 (Server Core installation)
• Windows 11 Version 25H2 for ARM64-based Systems
• Windows 11 Version 25H2 for x64-based Systems
• Windows 11 Version 23H2 for ARM64-based Systems
• Windows 11 Version 23H2 for x64-based Systems
• Windows Server 2022, 23H2 Edition (Server Core installation)
• Windows 11 Version 24H2 for ARM64-based Systems
• Windows 11 Version 24H2 for x64-based Systems
• Windows Server 2025
• Windows 10 Version 1607 for 32-bit Systems
• Windows 10 Version 1607 for x64-based Systems
• Windows Server 2016
• Windows Server 2016 (Server Core installation)

ESU

• Windows 10 Version 22H2 for x64-based Systems
• Windows 10 Version 22H2 for ARM64-based Systems
• Windows 10 Version 22H2 for 32-bit Systems
• Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Windows Server 2012
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)

Security Updates (15)

• 5071544
• 5071547
• 5074353
• 5071546
• 5072033
• 5074204
• 5071417
• 5071542
• 5071543
• 5071504
• 5071507
• 5071501
• 5071506
• 5071505
• 5071503

Acknowledgments

<a href="http://x.com/osman1337_">Osman Eren G&#252;neş</a>, <a href="https://x.com/melihkaanyldz">Melih Kaan Yıldız</a>, Anonymous, Pēteris Hermanis Osipovs, DeadOverflow, Justin Necke

Revision History

• 2025-12-09: Information published.
• 2025-12-18: Corrected Build Numbers in the Security Updates table. This is an informational change only.