CVE-2025-53772
published 2025-08-12CVE-2025-53772: Deserialization of untrusted data in Web Deploy allows an authorized attacker to execute code over a network.
PriorityP186high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
22.32%
97.4th percentile
Deserialization of untrusted data in Web Deploy allows an authorized attacker to execute code over a network.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | web_deploy_4.0 | < 10.0.2001 | 10.0.2001 |
| microsoft | web_deploy_4.0 | >= 10.0.2000 < 10.0.2001 | 10.0.2001 |
| msrc | web_deploy_4.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/msdeploy.axd
othermsdeploy.method: sync
othermsdeploy.syncoptions: h4sia
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER Microsoft IIS Web Deploy Remote Code Execution via Insecure Deserialization (CVE-2025-53772)"; flow:established,to_server; http.uri; content:"/msdeploy.axd"; startswith; http.header; to_lowercase; content:"msdeploy.method|3a 20|sync"; content:"msdeploy.syncoptions|3a 20|h4sia"; fast_pattern; reference:url,hawktrace.com/blog/cve-2025-53772; reference:cve,2025-53772; classtype:web-application-attack; sid:2065401; rev:1; metadata:affected_product Microsoft_IIS, attack_target Server, tls_state TLSDecrypt, created_at 2025_10_27, cve CVE_2025_53772, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit traffic targets the Web Deploy handler endpoint /msdeploy.axd at the start of the HTTP URI path (startswith match).
- →Malicious requests carry the HTTP header 'msdeploy.method: sync' (case-insensitive), indicating a sync operation used to trigger deserialization.
- →The fast-pattern anchor 'msdeploy.syncoptions: h4sia' in the HTTP header is the high-confidence distinguishing payload marker for this exploit.
- →The attack vector is an authenticated/authorized attacker sending a malicious HTTP request to the web server over the network. ↗
- →Detection should be deployed at the perimeter, internally, and on TLS-decrypting inspection points (SSLDecrypt/TLSDecrypt) to cover encrypted traffic.
- →MITRE mapping: Initial Access (TA0001) via Exploit Public-Facing Application (T1190).
- ·Exploitation requires an authenticated/authorized attacker — unauthenticated exploitation is not indicated, reducing exposure surface but not eliminating risk from compromised or insider accounts. ↗
- ·The Snort/Suricata rule (sid:2065401) requires TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to be effective against HTTPS-wrapped Web Deploy traffic; without SSL inspection the rule will not fire.
- ·As of rule creation (2025-10-27), the vulnerability has not been publicly disclosed or actively exploited in the wild, but exploitation is rated 'Less Likely'. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rjw8-72rg-98g5: Deserialization of untrusted data in Web Deploy allows an authorized attacker to execute code over a network
ghsa_unreviewed·2025-08-12
CVE-2025-53772 [HIGH] CWE-502 GHSA-rjw8-72rg-98g5: Deserialization of untrusted data in Web Deploy allows an authorized attacker to execute code over a network
Deserialization of untrusted data in Web Deploy allows an authorized attacker to execute code over a network.
VulnCheck
Microsoft web_deploy_4.0 Deserialization of Untrusted Data
vulncheck·2025·CVSS 8.8
CVE-2025-53772 [HIGH] Microsoft web_deploy_4.0 Deserialization of Untrusted Data
Microsoft web_deploy_4.0 Deserialization of Untrusted Data
Deserialization of untrusted data in Web Deploy allows an authorized attacker to execute code over a network.
Affected: Microsoft web_deploy_4.0
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://hs-8813571.f.hubspotemail.net/hubfs/8813571/PERISCOPE_VULNINTEL_20251007.pdf
Exploit PoC: https://vulncheck.com/xdb/b0db359ede27; https://vulncheck.com/xdb/943ee770feb1
Microsoft
Web Deploy Remote Code Execution Vulnerability
vendor_msrc·2025-08-12·CVSS 8.8
CVE-2025-53772 [HIGH] CWE-502 Web Deploy Remote Code Execution Vulnerability
Web Deploy Remote Code Execution Vulnerability
Description: Deserialization of untrusted data in Web Deploy allows an authorized attacker to execute code over a network.
FAQ: How could an attacker exploit the vulnerability?
An authenticated attacker could exploit the vulnerability by sending a malicious http request to the web server.
Web Deploy: Web Deploy
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely
Remediation: Release Notes
Reference: https://www.microsoft.com/en-us/download/details.aspx?id=106070
Suricata
ET WEB_SERVER Microsoft IIS Web Deploy Remote Code Execution via Insecure Deserialization (CVE-2025-53772)
suricata·2025-10-27·CVSS 8.8
CVE-2025-53772 [HIGH] ET WEB_SERVER Microsoft IIS Web Deploy Remote Code Execution via Insecure Deserialization (CVE-2025-53772)
ET WEB_SERVER Microsoft IIS Web Deploy Remote Code Execution via Insecure Deserialization (CVE-2025-53772)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER Microsoft IIS Web Deploy Remote Code Execution via Insecure Deserialization (CVE-2025-53772)"; flow:established,to_server; http.uri; content:"/msdeploy.axd"; startswith; http.header; to_lowercase; content:"msdeploy.method|3a 20|sync"; content:"msdeploy.syncoptions|3a 20|h4sia"; fast_pattern; reference:url,hawktrace.com/blog/cve-2025-53772; reference:cve,2025-53772; classtype:web-application-attack; sid:2065401; rev:1; metadata:affected_product Microsoft_IIS, attack_target Server, tls_state TLSDecrypt, created_at 2025_10_27, cve CVE_2025_53772, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Hig
No public exploits indexed.
2025-08-12
Published
Exploited in the wild