Windows PowerShell Invoke-WebRequest Command Injection RCE
CVE-2025-54100 is a Windows PowerShell remote code execution vulnerability caused by improper neutralization of special elements used in a command. The issue is described as a command injection flaw in how Windows PowerShell processes web content, particularly in scenarios involving Invoke-WebRequest (also referenced in some reporting as the curl alias in PowerShell). Multiple sources in the provided content state that a PowerShell script using Invoke-WebRequest may execute scripts included in the HTTP response, and that crafted response bodies can trigger vulnerable parser logic. Successful exploitation results in execution in the security context of the user running the PowerShell command. The vulnerability was publicly disclosed prior to patch availability and is rated Important with a reported CVSS score of 7.8.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
This repository is a proof-of-concept (PoC) exploit for CVE-2025-54100, a remote code execution vulnerability affecting Windows PowerShell 5.1 when using Invoke-WebRequest without the -UseBasicParsing flag. The repository contains four files: a Python FastAPI server (app.py), a README.md with detailed usage and background, a requirements.txt for dependencies, and a LICENSE. The main exploit logic is in app.py, which serves a crafted HTML payload at the root HTTP endpoint. When a vulnerable Windows system accesses this endpoint (e.g., via Invoke-WebRequest or mshta), the HTML/JavaScript attempts to instantiate ActiveX objects to execute calc.exe, demonstrating RCE. The exploit is non-destructive and intended for research/validation. The README provides clear instructions for setup, exploitation, and mitigation. No hardcoded IPs are present in the code, but the README uses example IPs for demonstration. The attack vector is network-based, requiring the victim to access the attacker's HTTP server. The auxiliary /log endpoint is present for client-side logging but is not essential to the exploit. The PoC is mature as a demonstration but not weaponized for broader attacks.
This repository provides a proof-of-concept (PoC) exploit for CVE-2025-54100, a command injection vulnerability in Windows PowerShell 5.1's Invoke-WebRequest cmdlet. The repository contains four files: a Python exploit script (CVE-2025-54100.py), a README.md with detailed vulnerability and usage information, a .gitignore, and a requirements.txt listing FastAPI and Uvicorn as dependencies. The main exploit script implements a FastAPI web server that serves a crafted HTML/JavaScript payload at the root endpoint ('/'). When a vulnerable Windows PowerShell client fetches this endpoint using Invoke-WebRequest (without the -UseBasicParsing switch), the response is parsed by the MSHTML engine, which executes the embedded script. The current payload is non-malicious and simply triggers an alert for verification, but the mechanism demonstrates the potential for remote code execution. The exploit is network-based, requiring the victim to connect to the attacker's server. The repository is structured for easy use and testing, with clear instructions and mitigation advice in the README.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
58 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Windows data-handling flaw involving curl or Invoke-WebRequest that launches Internet Explorer in the background and can lead to XSS-style command injection scenarios.
A remote code execution vulnerability in PowerShell reported as exploited.
Vulnerability referenced as having a public proof-of-concept; no additional details provided in the content.
A remote code execution vulnerability in PowerShell, publicly disclosed with a proof-of-concept exploit. Exploitation is considered less likely, but the availability of PoC code increases risk.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.