## https://sploitus.com/exploit?id=C49974A5-ECBD-5008-A6B9-6C43883C1CDB
# CVE-2025-54100 - PowerShell Response Parsing PoC
This repository contains a Proof-of-Concept (PoC) Python script for **CVE-2025-54100**, a critical Remote Code Execution (RCE) vulnerability in Windows PowerShell.
## ๐ Vulnerability Details
**CVE-2025-54100** (CVSS 7.8 High) is a command injection vulnerability in the `Invoke-WebRequest` cmdlet of Windows PowerShell 5.1. It arises from improper neutralization of special elements during the automatic parsing of Web responses.
### Technical Analysis
When `Invoke-WebRequest` is used to fetch content from a URL without the `-UseBasicParsing` switch, PowerShell relies on the Internet Explorer MSHTML engine to parse the HTML response (to populate properties like `.Links`, `.Images`, etc.).
If the response contains specifically crafted HTML with malicious script blocks (e.g., creating `ActiveXObject`), the MSHTML engine may execute this code within the context of the user running the PowerShell command. This allows attackers to achieve **Remote Code Execution (RCE)** on the victim's machine.
### Impact
- **Remote Code Execution:** Attackers can run arbitrary commands (e.g., instantiating `WScript.Shell`).
- **System Compromise:** Full control over the affected system if the user has administrative privileges.
- **Affected Systems:** Windows 10, Windows 11, Windows Server 2008-2025 (systems using PowerShell 5.1).
## ๐ PoC Overview
The provided `CVE-2025-54100.py` script acts as a malicious HTTP server. When a vulnerable PowerShell client connects to it, the server responds with an HTML payload designed to trigger the vulnerability.
**Current Payload:**
The PoC currently uses a safe verification payload. It attempts to instantiate the `WScript.Shell` ActiveX object and uses `alert(1)` (or internal logic) to confirm success, **without** executing harmful commands on the system.
## ๐ Usage
### 1. Start the Malicious Server
Run the python script to start the server on port 8888 (default).
```bash
python3 CVE-2025-54100.py
```
Or specify a custom port:
```bash
python3 CVE-2025-54100.py --port 9001
```
### 2. Trigger the Vulnerability (On Victim)
On a vulnerable Windows machine, run the following PowerShell command (ensure you do **not** use `-UseBasicParsing`):
```powershell
Invoke-WebRequest -Uri "http://:8888"
```
If the system is vulnerable, the hidden script in the HTML response will be executed by the MSHTML parser.
## ๐ก๏ธ Mitigation
Microsoft released patches in December 2025 to address this issue.
1. **Apply Security Updates:** Install the latest Windows security updates.
2. **Use `-UseBasicParsing`:** Always use this switch with `Invoke-WebRequest` in scripts to avoid using the MSHTML engine.
```powershell
Invoke-WebRequest -Uri "http://example.com" -UseBasicParsing
```
3. **PowerShell 7+:** Migrate to PowerShell Core (pwsh), which does not use MSHTML for parsing and is not affected by this specific vector.
## โ ๏ธ Disclaimer
> [!WARNING]
> **This tool is for educational purposes and authorized security testing only.**
> Usage of this tool for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state, and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
## ๐ References
- [NVD: CVE-2025-54100](https://nvd.nist.gov/vuln/detail/CVE-2025-54100)
- [MSRC: Update Guide](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54100)
- [GitHub: osman1337-security/CVE-2025-54100](https://github.com/osman1337-security/CVE-2025-54100)