On December 9, 2025, as part of Microsoft’s December Patch Tuesday, the company addressed CVE-2025-54100, a publicly disclosed zero-day remote code execution (RCE) vulnerability in Windows PowerShell.
This flaw, rated “Important” with a CVSS v3.1 score of 7.8, stems from improper neutralization of special elements in PowerShell’s command processing, specifically in the Invoke-WebRequest cmdlet. It allows an unauthenticated attacker to execute arbitrary code in the context of the user running the command, typically through social engineering tactics like tricking a victim into downloading and executing a malicious script or webpage content.
Technical Details and Exploitation
The vulnerability exploits a command injection weakness during the parsing of web content fetched by Invoke-WebRequest. When PowerShell processes the full Document Object Model (DOM) of a remote resource (similar to how Internet Explorer’s legacy MSHTML/Trident engine handled it), embedded scripts in the content can execute automatically. This does not require privileges beyond local system access but demands low attack complexity and some user interaction—such as running a crafted PowerShell snippet. Proof-of-concept (PoC) exploits are publicly available, including demonstrations on YouTube and reports via HackerOne, but Microsoft assesses active exploitation as “less likely” with no known in-the-wild attacks reported as of December 10, 2025.
Attackers could chain this with phishing or other initial access vectors: for instance, convincing a user to execute Invoke-WebRequest against a controlled server that returns malicious HTML with embedded scripts, leading to code execution and potential persistence or lateral movement. It primarily impacts enterprise environments reliant on PowerShell for automation, as PowerShell 5.1 remains the default on fresh Windows installations (including Windows 11 25H2 and Server 2025).
Affected Systems and Scope
• Primary Impact: Windows PowerShell 5.1 and components.
• Unaffected: PowerShell 7.x, which avoids the legacy parsing engine and thus bypasses the flaw.
• Exploitation Requirements: Local access (no authentication needed), but remote execution is feasible via user deception.
This is one of three zero-days patched in December 2025, alongside an actively exploited elevation-of-privilege bug (CVE-2025-62221) in Windows Cloud Files Mini Filter Driver and a disclosed RCE in GitHub Copilot (CVE-2025-64671).
Mitigation and Recommendations
Apply the December 2025 security updates immediately via Windows Update or manual download from the Microsoft Update Catalog. Post-patch, PowerShell will display a security warning prompt when using Invoke-WebRequest without the -UseBasicParsing parameter, which disables script execution during parsing to mitigate risks. Scripts relying on full DOM parsing may need updates to include this flag; otherwise, they could hang on the prompt. A reboot is recommended after installation to ensure full remediation.
For added protection:
• Restrict PowerShell execution policies to RemoteSigned or higher.
• Monitor for anomalous Invoke-WebRequest usage in logs.
• Educate users on avoiding unsolicited PowerShell commands.
• Transition to PowerShell 7 where feasible for modern scripting.