Release of Proof of Concept Exploit for Remote Code Execution Vulnerability in IIS WebDeploy

A proof-of-concept exploit for CVE-2025-53772, a critical remote code execution vulnerability in Microsoft’s IIS Web Deploy (MsDeploy) tool, was published this week, raising urgent alarms across the .NET and DevOps communities. The vulnerability stems from unsafe deserialization of HTTP header contents in both the MsDeployAgentService and msdeploy.axd endpoints, allowing authenticated attackers to execute arbitrary code on target servers. The exploit leverages the MSDeploy.SyncOptions header to spawn commands, demonstrating how a Base64-encoded, GZip-compressed payload can be processed without proper input validation. This flaw enables malicious payloads to instantiate dangerous objects, leading to remote code execution, as evidenced by the PoC that launches calc.exe on the server when the crafted payload is sent via an HTTP POST to /msdeploy.axd.

To mitigate the risks associated with CVE-2025-53772, Microsoft has assigned a CVSS score of 8.8, indicating a high severity level. Immediate steps include disabling the Web Deploy Agent Service (MsDepSvc), enforcing strict network access control lists on the msdeploy.axd endpoint, and applying inbound filtering to block unexpected MSDeploy.SyncOptions headers. Long-term remediation strategies involve replacing BinaryFormatter with a more secure serializer, such as DataContractSerializer, and validating all header inputs before deserialization. As proof-of-concept exploits circulate, organisations using IIS Web Deploy must prioritise patching and hardening their systems to prevent exploitation by authenticated attackers. 

Categories: Cybersecurity Vulnerability, Remote Code Execution, Mitigation Strategies 

Tags: CVE-2025-53772, IIS Web Deploy, Remote Code Execution, Deserialization, MSDeploy.SyncOptions, Payload, Mitigation, BinaryFormatter, Authentication, CVSS 8.8