Microsoft has disclosed a critical security vulnerability in its Internet Information Services (IIS) Web Deploy tool that could allow attackers to execute arbitrary code remotely on affected systems.
The vulnerability, designated as CVE-2025-53772, was announced on August 12, 2025, and carries an “Important” severity rating with a CVSS score of 8.8 out of 10.
| Vulnerability Details | Information |
| CVE ID | CVE-2025-53772 |
| Release Date | August 12, 2025 |
| Assigning CNA | Microsoft |
| Impact | Remote Code Execution |
| Max Severity | Important |
| Weakness Type | CWE-502: Deserialization of Untrusted Data |
| CVSS Score | 8.8 / 7.7 |
The vulnerability stems from improper deserialization of untrusted data within the Web Deploy framework, a Microsoft tool commonly used for deploying web applications and content to IIS web servers.
This flaw allows authenticated attackers with low-level privileges to potentially gain complete control over vulnerable systems by exploiting the deserialization process.
The attack vector is particularly concerning as it can be executed remotely over a network connection with low attack complexity and requires no user interaction.
Once exploited, attackers could achieve high impact across confidentiality, integrity, and availability of the targeted system.
The vulnerability affects the core functionality of Web Deploy, which is widely used in enterprise environments for automated deployment processes.
Security researchers have classified this as a CWE-502 weakness, indicating that the application deserializes untrusted data without sufficiently verifying that the resulting data is valid.
This type of vulnerability has historically been exploited to achieve remote code execution, making it a significant security concern for organizations using IIS Web Deploy.
Microsoft has acknowledged the vulnerability and is expected to release security updates to address the issue.
Organizations using IIS Web Deploy should monitor Microsoft’s security advisories for patch availability and implement updates as soon as they become available.
In the interim, administrators should review access controls for Web Deploy services and consider restricting network access to these services where possible.
The disclosure follows Microsoft’s responsible disclosure timeline, allowing the company to develop and test patches before public announcement.
Security professionals recommend that organizations assess their exposure to this vulnerability by inventorying systems running IIS Web Deploy and prioritizing patch deployment based on their risk assessment.
This vulnerability highlights the ongoing security challenges associated with deserialization flaws in enterprise software, emphasizing the need for robust input validation and secure coding practices in deployment tools that handle sensitive operations.
AWS Security Services: 10-Point Executive Checklist - Download for Free
Source link
