A newly disclosed remote code execution (RCE) vulnerability in Microsoft’s IIS Web Deploy toolchain has captured industry attention after the release of a public proof-of-concept.
Tracked as CVE-2025-53772, this flaw resides in the unsafe deserialization logic of the msdeployagentservice and msdeploy.axd endpoints, allowing authenticated attackers to run arbitrary code on vulnerable web servers.
IIS Web Deploy (msdeploy) is a powerful Microsoft toolset designed to package and synchronize web applications, IIS configurations, and associated resources across environments.
It supports two primary deployment paths: the Web Management Service (WMSvc) accessible via the /msdeploy.axd HTTP(S) endpoint, and the Web Deploy Agent Service (MsDepSvc).
While these features enable seamless application roll-out and rollback, they also broaden the service’s attack surface when input validation is lax.
The vulnerability stems from the way HTTP header values are deserialized. Specifically, Web Deploy reads the MSDeploy.SyncOptions header, expecting a GZip-compressed, Base64-encoded blob.
Internally, this header undergoes Base64 decoding followed by GZip decompression and then deserialization using .NET’s BinaryFormatter.
Because BinaryFormatter will instantiate any object found in the serialized stream, an attacker-controlled payload can coerce the server into executing unwanted commands.
Technical Breakdown of the Flaw
Once the header named MSDeploy.SyncOptions is passed to this method without strict validation, exploitation is trivial for an attacker who can authenticate to the Web Deploy service.
The exploit chain uses a crafted serialized object graph—typically leveraging delegates—that invokes System.Diagnostics.Process.Start to execute commands like cmd.exe /c calc.
Proof-of-Concept and Impact
A publicly available GitHub gist demonstrates a minimal C# payload generator that builds a SortedSet delegate chain. After serialization, GZip compression, and Base64 encoding, the attacker sends the payload in the SyncOptions header of an HTTP POST to /msdeploy.axd.
Provided the target host accepts the request, the server will decompress, deserialize, and execute the embedded command.
Attackers with valid credentials—often obtained via credential theft or misconfiguration—can deploy backdoors, pivot to other systems, or exfiltrate sensitive data.
Given that many enterprises rely on Web Deploy for automated deployments, the window for post-compromise cleanup can be substantial.
Microsoft has rated CVE-2025-53772 with a severity score of 8.8 and published an advisory urging administrators to apply the latest Web Deploy updates immediately. Until patches are broadly deployed, organizations should:
- Restrict access to Web Deploy endpoints via IP allow-lists or VPN tunnels.
- Enforce least-privilege on service accounts used by msdeploy services.
- Monitor IIS logs for anomalous SyncOptions header use.
- Consider disabling the MsDepSvc and /msdeploy.axd handlers if not required.
Secure deserialization libraries or custom validation should replace BinaryFormatter where possible.
In high-risk environments, isolating Web Deploy hosts behind dedicated deployment bastions can minimize lateral movement after compromise.
CVE-2025-53772 underscores the enduring dangers of unsafe deserialization and highlights the need for rigorous input validation in deployment pipelines.
Organizations must act swiftly to patch and fortify their Web Deploy infrastructure against this critical RCE threat.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
