CVE-2025-54100

Q: What is the severity of CVE-2025-54100?

CVE-2025-54100 has a CVSS score of 7.8 (HIGH). This command injection vulnerability in Windows PowerShell allows attackers to execute arbitrary code on affected systems. It affects Windows systems running vulnerable PowerShell versions, primarily impacting organizations using PowerShell for administration or automation.

7.8 HIGH

Remote Code Execution

📋 TL;DR

This command injection vulnerability in Windows PowerShell allows attackers to execute arbitrary code on affected systems. It affects Windows systems running vulnerable PowerShell versions, primarily impacting organizations using PowerShell for administration or automation.

💻 Affected Systems

Products:

Windows PowerShell

Versions: Specific versions not yet detailed in public advisories

Operating Systems: Windows 10, Windows 11, Windows Server 2016+, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: Requires PowerShell execution capability; systems with PowerShell constrained language mode or application control may be less vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining SYSTEM privileges, lateral movement across network, data exfiltration, and ransomware deployment.

🟠

Likely Case

Local privilege escalation leading to credential theft, persistence establishment, and limited lateral movement within the environment.

🟢

If Mitigated

Contained impact with limited privilege escalation if proper application whitelisting and PowerShell constraints are enforced.

🌐 Internet-Facing: LOW (requires local access or existing foothold on system)

🏢 Internal Only: HIGH (can be exploited by malicious insiders or attackers with initial access)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access or ability to execute PowerShell commands; may be chained with other vulnerabilities for remote exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific patch versions

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54100

Restart Required: Yes

Instructions:

1. Apply latest Windows security updates via Windows Update
2. For enterprise: Deploy through WSUS or Microsoft Endpoint Configuration Manager
3. Verify PowerShell version after update

🔧 Temporary Workarounds

Enable PowerShell Constrained Language Mode

windows

Restricts PowerShell to safe language elements preventing command injection

Set-ExecutionPolicy -ExecutionPolicy Restricted
Enable PowerShell logging via Group Policy

Implement Application Control

windows

Use Windows Defender Application Control to restrict PowerShell execution

Configure AppLocker or WDAC policies to control PowerShell usage

🧯 If You Can't Patch

Implement strict PowerShell logging and monitoring for suspicious command patterns
Apply network segmentation to limit lateral movement from compromised systems

🔍 How to Verify

Check if Vulnerable:

Check PowerShell version and compare with patched versions in Microsoft advisory

Check Version:

$PSVersionTable.PSVersion

Verify Fix Applied:

Verify Windows Update history shows the security patch applied and PowerShell version updated

📡 Detection & Monitoring

Log Indicators:

PowerShell logs showing unusual command execution patterns
Event ID 4104 with suspicious script blocks in Windows Event Logs
Unexpected PowerShell processes with unusual arguments

Network Indicators:

Unusual outbound connections from systems running PowerShell
Lateral movement attempts following PowerShell execution

SIEM Query:

source="Windows PowerShell" AND (command="*Invoke-Expression*" OR command="*iex*" OR command="*&*" OR command="*|*" WITH suspicious parameters)

📊 Metadata

CVE ID: CVE-2025-54100

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-77

EPSS Score: 0.18% exploit probability (39.4th percentile)

Published: December 9, 2025

Last Updated: December 24, 2025

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows 11 25h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Enable PowerShell Constrained Language Mode

Implement Application Control

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities