Windows PowerShell 0-Day Remote Code Execution Vulnerability (CVE-2025-54100)
Microsoft has disclosed a critical 0-day vulnerability in Windows PowerShell, tracked as CVE-2025-54100, which allows attackers to execute arbitrary code on affected systems. The flaw arises from improper neutralization of special elements in PowerShell's command processing, enabling command injection if an attacker can trick a user into running a malicious script or command. Exploitation requires local access and user interaction, but successful attacks can result in privilege escalation and full system compromise, making this vulnerability a significant risk for organizations relying on PowerShell for administration and automation.
No official patch is available yet, and Microsoft has urged organizations to apply immediate mitigations and monitor for updates. The vulnerability is rated as 'Important' with a CVSS score of 7.8, and its potential for chaining with other exploits increases its attractiveness to threat actors. Attack vectors include phishing, watering-hole attacks, and supply-chain compromises where PowerShell scripts are abused during software installation or updates. Security teams are advised to remain vigilant and implement recommended mitigations until a patch is released.
Timeline
Dec 10, 2025
Advisories warn no patch is yet available for the PowerShell zero-day
Follow-on reporting described CVE-2025-54100 as a zero-day and noted that no official patch was available at the time. Organizations were urged to apply mitigations such as restricting PowerShell use, enforcing least privilege, and increasing monitoring for suspicious activity and exploit attempts.
Dec 9, 2025
Microsoft discloses PowerShell RCE flaw CVE-2025-54100
Microsoft publicly disclosed CVE-2025-54100, a Windows PowerShell remote code execution vulnerability caused by improper neutralization of special elements in command processing. The disclosure indicated the flaw could allow malicious command injection and code execution if successfully exploited.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
Microsoft December Patch Tuesday Addresses Multiple Actively Exploited Vulnerabilities
Microsoft released its December Patch Tuesday updates, addressing a total of 57 CVEs, including several critical vulnerabilities that have been actively exploited. Among the most notable is CVE-2025-62221, a Windows Cloud Files Mini Filter Driver flaw rated 7.8 on the CVSS scale, which allows local privilege escalation if an attacker already has code execution on the system. Microsoft confirmed this vulnerability is being exploited as a zero-day, underscoring the urgency for organizations to apply the patch. Additional high-severity vulnerabilities include a PowerShell Remote Code Execution flaw (CVE-2025-54100) and a GitHub Copilot for Jetbrains bug (CVE-2025-64671), both of which are publicly known but not yet observed in active exploitation. Separately, Microsoft also issued a fix for CVE-2025-9491, a high-severity vulnerability in Windows LNK files that has been actively exploited by both state-sponsored and cybercriminal groups. This flaw enables attackers to embed malicious commands in shortcut files, facilitating malware deployment and persistent access to compromised systems. Security experts emphasize the importance of prioritizing these patches, as the vulnerabilities are being leveraged in real-world attacks and could lead to significant compromise if left unaddressed.
1 months ago
Active Exploitation of Patched Windows SMB Client Vulnerability CVE-2025-33073
A critical vulnerability in the Windows SMB client, tracked as CVE-2025-33073, is being actively exploited by threat actors months after Microsoft released a patch. The flaw, which affects Windows 10, Windows 11 (up to version 24H2), and all supported versions of Windows Server, was initially addressed in Microsoft's June 2025 Patch Tuesday update. The vulnerability allows attackers to escalate privileges to SYSTEM level by coercing a victim machine to connect to a malicious SMB server, where the protocol can be compromised. Attackers can exploit this by executing a specially crafted script or convincing users to run such a script, leading to authentication with the attacker's server and subsequent compromise. Security researchers from organizations including CrowdStrike, Synacktiv, GuidePoint Security, BNP Paribas, SySS GmbH, RedTeam Pentesting GmbH, and Google Project Zero contributed to the discovery and public disclosure of the flaw. Some researchers have highlighted that the vulnerability bypasses NTLM reflection mitigations and can be used for authenticated remote command execution, not just privilege escalation as initially described by Microsoft. Technical details and proof-of-concept exploits have been published, increasing the risk of widespread exploitation. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-33073 to its Known Exploited Vulnerabilities (KEV) catalog on October 20, 2025, confirming active exploitation in the wild. CISA has mandated that all US federal civilian agencies apply the patch or remove vulnerable systems from operation by November 10, 2025, under Binding Operational Directive 22-01. While this directive is specific to federal agencies, CISA has strongly urged all organizations to remediate the vulnerability immediately due to the ongoing attacks. The vulnerability was publicly disclosed at the time of patch release, but exploitation was not observed until months later, underscoring the importance of timely patch management. Microsoft has not yet issued a public statement regarding the active exploitation. The flaw's ability to bypass existing mitigations and enable remote command execution makes it particularly dangerous for enterprise environments. Organizations that have not yet applied the June 2025 patch remain at significant risk of compromise. The ongoing exploitation highlights the persistent threat posed by delayed patching and the rapid weaponization of disclosed vulnerabilities. Security teams are advised to prioritize remediation and monitor for signs of exploitation related to CVE-2025-33073.
1 months ago
Microsoft WSUS Remote Code Execution Vulnerability Actively Exploited
Microsoft released an urgent out-of-band security update to address a critical remote code execution vulnerability in Windows Server Update Services (WSUS), identified as CVE-2025-59287. The flaw was reportedly under active exploitation in the wild, prompting Microsoft to issue a comprehensive fix outside of its regular update cycle. Security advisories and industry news highlighted the severity of the vulnerability and its inclusion in the U.S. CISA Known Exploited Vulnerabilities catalog, underscoring the immediate risk to organizations relying on WSUS for patch management. The vulnerability allowed attackers to potentially execute arbitrary code on affected WSUS servers, posing a significant threat to enterprise environments. Security experts urged organizations to apply the patch without delay to mitigate the risk of compromise. The rapid response from Microsoft and the attention from security agencies reflect the critical nature of the flaw and the ongoing threat landscape targeting core infrastructure components like WSUS.
1 months ago