Microsoft has released security updates to address a vulnerability in Windows PowerShell (CVE-2025-54100) that could allow local users to execute arbitrary code when using the Invoke-WebRequest cmdlet. Severity level: CVSS Score: 7.8/high Description: CVE-2025-54100 is a command injection vulnerability in Windows PowerShell, specifically affecting the Invoke-WebRequest cmdlet. The flaw occurs because PowerShell automatically parses HTML content using the MSHTML engine, which can inadvertently execute embedded scripts during parsing. This behavior allows attackers to craft malicious web content that, when processed by Invoke-WebRequest, could lead to unintended script execution. Exploitation requires local access and user interaction, such as running a script that invokes Invoke-WebRequest on a malicious URL.
Affected Versions: All systems using Windows PowerShell 5.1 on vulnerable Windows versions.
Windows 10. Windows 11. Windows Server (2008 through 2025 editions). Impact: Successful exploitation of this vulnerability may allow attackers to execute arbitrary code on the affected system.
After applying the patch, users will receive a security warning prompt before parsing any web content that could execute scripts. Resolution: Please apply the latest Security updates released by Microsoft. Reference:
