CVE-2025-54100 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
microsoft	CNA	7.8 HIGH				CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Base Score

CVSS 3.x

EPSS Score

Percentile: 42%

Affected Products (NVD)

Vendor	Product	Version
microsoft	windows_10_1607	𝑥 < 10.0.14393.8688
microsoft	windows_10_1607	𝑥 < 10.0.14393.8688
microsoft	windows_10_1809	𝑥 < 10.0.17763.8146
microsoft	windows_10_1809	𝑥 < 10.0.17763.8146
microsoft	windows_10_21h2	𝑥 < 10.0.19044.6691
microsoft	windows_10_22h2	𝑥 < 10.0.19045.6691
microsoft	windows_11_23h2	𝑥 < 10.0.22631.6345
microsoft	windows_11_24h2	𝑥 < 10.0.26100.7456
microsoft	windows_11_25h2	𝑥 < 10.0.26200.7456
microsoft	windows_server_2008	-
microsoft	windows_server_2008	-
microsoft	windows_server_2012	-
microsoft	windows_server_2016	𝑥 < 10.0.14393.8688
microsoft	windows_server_2019	𝑥 < 10.0.17763.8146
microsoft	windows_server_2022	𝑥 < 10.0.20348.4529
microsoft	windows_server_2022_23h2	𝑥 < 10.0.25398.2025
microsoft	windows_server_2025	𝑥 < 10.0.26100.7456

𝑥

= Vulnerable software versions

Windows Releases

Platform

Version

Windows 10

1607 (x64, x86)	KB5071543
1809 (x64, x86)	KB5071544
21H2 (arm64, x64, x86)	KB5071546
22H2 (arm64, x64, x86)	KB5071546

Windows 11

23H2 (arm64, x64)	KB5071417
24H2 (arm64, x64)	KB5072033
25H2 (arm64, x64)	KB5072033

Windows Server 2008

Service Pack 2 (x64, x86)	KB5071507
Service Pack 2 Server Core (x64, x86)	KB5071507

Windows Server 2008 R2

Service Pack 1 (x64)	KB5071506
Service Pack 1 Server Core (x64)	KB5071506

Windows Server 2012

Server Core	KB5071505
Standard	KB5071505

Windows Server 2012 R2

Server Core	KB5071503
Standard	KB5071503

Windows Server 2016

Server Core	KB5071543
Standard	KB5071543

Windows Server 2019

Server Core	KB5071544
Standard	KB5071544

Windows Server 2022

23H2 Server Core	KB5071542
Server Core	KB5074353
Standard	KB5074353

Windows Server 2025

Server Core	KB5072033
Standard	KB5072033

Common Weakness Enumeration

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Vulnerability Media Exposure

[ENGLISH] Microsoft Fixes Three Zero-Days in Final Patch Tuesday of 2025
December’s Patch Tuesday sees the release of patches for over 50 CVEs including three zero-days
Published: 2025-12-10T09:45:00+00:00

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54100

https://www.vicarius.io/vsociety/posts/cve-2025-54100-detect-powershell-vulnerability

https://www.vicarius.io/vsociety/posts/cve-2025-54100-mitigate-powershell-vulnerability