A proof-of-concept exploit for\u00a0CVE-2025-53772,<\/a><\/span>\u00a0a critical remote code execution vulnerability in Microsoft\u2019s IIS Web Deploy (msdeploy)\u00a0tool, was published this week, raising urgent alarms across the .NET and DevOps communities.\u00a0<\/p>\n The flaw resides in the unsafe deserialization of HTTP header contents in both the msdeployagentservice and msdeploy.axd<\/em> endpoints, enabling authenticated attackers to execute arbitrary code on target servers.<\/p>\n At the heart of CVE-2025-53772 is a custom deserialization<\/a> routine that neglects robust input validation.\u00a0<\/p>\n Hawktrace reports<\/a> that the vulnerable code path processes a Base64-encoded, GZip-compressed payload taken from the MSDeploy.SyncOptions HTTP header.<\/p>\n The sequence Base64 decoding followed by GZip decompression<\/a> and BinaryFormatter.Deserialize() fails to enforce type whitelisting, allowing malicious payloads to instantiate dangerous objects.\u00a0<\/p>\n In particular, crafting a SortedSet<string> object backed by a manipulated MulticastDelegate invocation list triggers Process the start, leading to remote code execution.<\/p>\n The publicly available PoC demonstrates how an attacker can abuse .NET\u2019s serialization mechanics:<\/p>\n Sending this payload in an HTTP POST to \/msdeploy.axd results in calc.exe launching on the server.<\/p>\n Microsoft has assigned a CVSS score of 8.8 for CVE-2025-53772. Immediate mitigation steps include disabling the Web Deploy Agent Service (MsDepSvc), enforcing strict network ACLs on the msdeploy.axd endpoint, and applying inbound filtering to block unexpected MSDeploy.SyncOptions headers.\u00a0<\/p>\n Long-term remediation requires replacing BinaryFormatter with a secure serializer (e.g., DataContractSerializer with explicit type contracts) and validating all header inputs before deserialization.<\/p>\n As PoC exploits circulate, organizations that leverage IIS Web Deploy must prioritize patching and hardening to prevent authenticated attackers from exploiting this critical RCE vector.<\/p>\n Find this Story Interesting! Follow us on Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>.<\/p>\n The post PoC Exploit Released for IIS WebDeploy Remote Code Execution Vulnerability<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nKey Takeaways<\/mark><\/strong>
1. IIS Web Deploy deserialization RCE (CVSS 8.8)
2. PoC uses MSDeploy.SyncOptions header to spawn commands
3. Mitigate by disabling agent, tightening access, and patching<\/pre>\nProof-of-Concept for IIS WebDeploy RCE Flaw<\/strong><\/h2>\n
![\"Public](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2025\/09\/image-36.png?resize=645%2C444&ssl=1\")
<\/figure>\n<\/div>\n\n\n
\n Risk Factors<\/strong><\/td>\n Details<\/strong><\/td>\n<\/tr>\n \n Affected Products<\/td>\n Microsoft Web Deploy (msdeployagentservice & msdeploy.axd)<\/td>\n<\/tr>\n \n Impact<\/td>\n Remote Code Execution (RCE)<\/td>\n<\/tr>\n \n Exploit Prerequisites<\/td>\n Authenticated Web Deploy user; network access to deployment endpoint; ability to send crafted HTTP headers<\/td>\n<\/tr>\n \n CVSS 3.1 Score<\/td>\n 8.8 (High)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n Mitigation\u00a0<\/strong><\/h2>\n