Redazione RHC : 3 September 2025 12:30
This week, a proof-of-concept exploit was published for CVE-2025-53772, a critical remote code execution vulnerability in Microsoft’s IIS Web Deploy (msdeploy) tool, which has raised urgent alarms in the .NET and DevOps communities.
CVE-2025-53772 is a critical RCE vulnerability in the msdeploy.axd and msdeployagentservice endpoints of Microsoft Web Deploy, caused by insecure deserialization of HTTP header data in GZip + Base64 format. Allows an authenticated attacker to remote code execution.
Microsoft has assigned a CVSS score of 8.8 for CVE-2025-53772. Immediate mitigations include disabling the Web Deploy Agent (MsDepSvc) service, applying strict network ACLs on the msdeploy.axd endpoint, and applying inbound filters to block unexpected MSDeploy.SyncOptions headers.
IIS Web Deploy (msdeploy) is a set of tools that packages and moves web applications, IIS configurations, and provider-based resources to a target environment. It supports two types of access mechanisms: via the Web Management Service (WMSvc) on HTTP(S) endpoints: /msdeploy.axd via the Web Deploy Agent Service (MsDepSvc): msdeployagentservice
Key features include: Provider-based synchronization and deployment for files, websites, certificates, databases, etc. Packaging ( GetPackage) and Package Applying ( Sync) Workflows This high flexibility, when combined with serialization designs that do not rigorously validate inputs, expands the attack surface.
A long-term fix requires replacing BinaryFormatter with a secure serializer (for example, DataContractSerializer with explicit type contracts) and validating all header inputs before deserialization.
With the rise of PoC exploits, organizations leveraging IIS Web Deploy should prioritize patching and hardening to prevent authenticated attackers from exploiting this RCE vector. critical.
Redazione