A Microsoft Web Deploy tool has a critical security flaw that could be exploited by authenticated attackers to execute code on affected systems. This is the bug tracked under CVE-2025-53772, disclosed on August 12, 2025, with a CVSS score of 8.8, indicating high severity.
The Microsoft Security Response Center (MSRC) has confirmed that, although the vulnerability has not been publicly exploited, it poses significant risks to system confidentiality, integrity, and availability. The flaw stems from the untrusted data deserialization in Web Deploy, classified in the CWE-502 weakness category.
This vulnerability affects Web Deploy 4.0 and requires low privileges to exploit, making it particularly concerning for organizations that use this deployment tool in their infrastructure. The vulnerability allows an authenticated attacker to exploit the system via low-complexity network-based attacks.
Attackers can exploit this flaw by sending malicious HTTP requests to the web server hosting the Web Deploy services. The attack requires low privileges and no user interaction, making it relatively easy to exploit once an attacker gains initial access to the system.
Microsoft’s exploitability assessment classifies this vulnerability as “Unlikely to be exploited,” although security experts recommend applying a patch immediately due to the potential risk of remote code execution.
Security researcher Batuhan Er of HawkTrace responsibly discovered and disclosed this vulnerability to Microsoft through a coordinated vulnerability disclosure.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
