7.8

CVE-2025-54100

Medienbericht
Improper neutralization of special elements used in a command ('command injection') in Windows PowerShell allows an unauthorized attacker to execute code locally.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerMicrosoft
Produkt Windows 10 Version 1809
Version < 10.0.17763.8146
Version 10.0.17763.0
Status affected
HerstellerMicrosoft
Produkt Windows Server 2019
Version < 10.0.17763.8146
Version 10.0.17763.0
Status affected
HerstellerMicrosoft
Produkt Windows Server 2019 (Server Core installation)
Version < 10.0.17763.8146
Version 10.0.17763.0
Status affected
HerstellerMicrosoft
Produkt Windows Server 2022
Version < 10.0.20348.4529
Version 10.0.20348.0
Status affected
HerstellerMicrosoft
Produkt Windows 10 Version 21H2
Version < 10.0.19044.6691
Version 10.0.19044.0
Status affected
HerstellerMicrosoft
Produkt Windows 10 Version 22H2
Version < 10.0.19045.6691
Version 10.0.19045.0
Status affected
HerstellerMicrosoft
Produkt Windows Server 2025 (Server Core installation)
Version < 10.0.26100.7462
Version 10.0.26100.0
Status affected
HerstellerMicrosoft
Produkt Windows 11 Version 25H2
Version < 10.0.26200.7462
Version 10.0.26200.0
Status affected
HerstellerMicrosoft
Produkt Windows 11 version 22H3
Version < 10.0.22631.6345
Version 10.0.22631.0
Status affected
HerstellerMicrosoft
Produkt Windows 11 Version 23H2
Version < 10.0.22631.6345
Version 10.0.22631.0
Status affected
HerstellerMicrosoft
Produkt Windows Server 2022, 23H2 Edition (Server Core installation)
Version < 10.0.25398.2025
Version 10.0.25398.0
Status affected
HerstellerMicrosoft
Produkt Windows 11 Version 24H2
Version < 10.0.26100.7462
Version 10.0.26100.0
Status affected
HerstellerMicrosoft
Produkt Windows Server 2025
Version < 10.0.26100.7462
Version 10.0.26100.0
Status affected
HerstellerMicrosoft
Produkt Windows 10 Version 1607
Version < 10.0.14393.8688
Version 10.0.14393.0
Status affected
HerstellerMicrosoft
Produkt Windows Server 2016
Version < 10.0.14393.8688
Version 10.0.14393.0
Status affected
HerstellerMicrosoft
Produkt Windows Server 2016 (Server Core installation)
Version < 10.0.14393.8688
Version 10.0.14393.0
Status affected
HerstellerMicrosoft
Produkt Windows Server 2008 Service Pack 2
Version < 6.0.6003.23666
Version 6.0.6003.0
Status affected
HerstellerMicrosoft
Produkt Windows Server 2008 Service Pack 2 (Server Core installation)
Version < 6.0.6003.23666
Version 6.0.6003.0
Status affected
HerstellerMicrosoft
Produkt Windows Server 2008 R2 Service Pack 1
Version < 6.1.7601.28064
Version 6.1.7601.0
Status affected
HerstellerMicrosoft
Produkt Windows Server 2008 R2 Service Pack 1 (Server Core installation)
Version < 6.1.7601.28064
Version 6.1.7601.0
Status affected
HerstellerMicrosoft
Produkt Windows Server 2012
Version < 6.2.9200.25815
Version 6.2.9200.0
Status affected
HerstellerMicrosoft
Produkt Windows Server 2012 (Server Core installation)
Version < 6.2.9200.25815
Version 6.2.9200.0
Status affected
HerstellerMicrosoft
Produkt Windows Server 2012 R2
Version < 6.3.9600.22920
Version 6.3.9600.0
Status affected
HerstellerMicrosoft
Produkt Windows Server 2012 R2 (Server Core installation)
Version < 6.3.9600.22920
Version 6.3.9600.0
Status affected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.17% 0.38
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
secure@microsoft.com 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.