Severity
High
Analysis Summary
A newly disclosed Windows PowerShell 0-day vulnerability, tracked as CVE-2025-54100, poses a significant security risk by allowing attackers to execute malicious code on affected systems. Publicly revealed on December 9, 2025, the flaw carries a CVSS score of high and is categorized as Important by Microsoft. The issue arises from improper neutralization of special elements (CWE-77) during PowerShell command processing, making it susceptible to command injection attacks. Although Microsoft currently assesses the likelihood of real-world exploitation as low, the public disclosure increases the threat level.
The vulnerability enables attackers to perform local arbitrary code execution, but it requires local access and user interaction, such as tricking victims into opening malicious files or executing harmful commands. Affected systems include a wide range of Windows operating systems: Windows 10, Windows 11, Windows Server 2008–2025, and various configurations where PowerShell is present. Because the flaw affects core command-handling logic, successful exploitation could allow threat actors to install malware, escalate privileges, or manipulate system tools.
Microsoft has issued security updates for all impacted platforms, with patch versions depending on the OS and deployment type. Organizations using Windows Server 2025, Windows Server 2022, and Windows 11 (24H2/25H2) should apply KB5072033 or KB5074204, while Windows 10 and earlier versions require updates such as KB5071546 or KB5071544. Most patches require a full system reboot, and administrators should be aware of new security prompts triggered after installing updates like KB5074204 or KB5074353, specifically when using Invoke-WebRequest.
To further reduce attack exposure, Microsoft recommends enabling additional PowerShell safeguards outlined in KB5074596, including using the UseBasicParsing switch to prevent script execution from untrusted web content. The coordinated disclosure highlights strong collaboration between Microsoft and the security research community to mitigate threats quickly. Organizations are urged to prioritize patching, enhance PowerShell security settings, and maintain security awareness to protect against this newly disclosed vulnerability.
Impact
- Code Execution
- Gain Access
Indicators of Compromise
CVE
CVE-2025-54100
Affected Vendors
Remediation
- Apply the latest Microsoft security updates immediately, including: KB5072033 / KB5074204 (Windows Server 2025, Windows Server 2022, Windows 11 24H2 & 25H2), and KB5071546 / KB5071544 (Windows 10 and earlier versions)
- Reboot all systems after installing patches to ensure updates are fully applied.
- Enable PowerShell security measures from KB5074596, including restricting script execution and enforcing safer command policies.
- Use the UseBasicParsing switch with Invoke-WebRequest to prevent untrusted web content from executing script code.
- Limit local user privileges to reduce the impact of command injection attempts.
- Implement application allowlisting to prevent unauthorized PowerShell script execution.
- Block or restrict PowerShell execution for non-admin users wherever possible.
- Increase user awareness training to prevent social engineering attempts requiring user interaction.
- Continuously monitor PowerShell logs for suspicious command injections or abnormal script behavior.
- Ensure endpoint protection solutions are updated to detect malicious PowerShell activity or exploit attempts.