cbcvebase.
CVE-2025-53772
published 2025-08-12

CVE-2025-53772: Deserialization of untrusted data in Web Deploy allows an authorized attacker to execute code over a network.

PriorityP186high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
22.32%
97.4th percentile
Deserialization of untrusted data in Web Deploy allows an authorized attacker to execute code over a network.

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftweb_deploy_4.0< 10.0.200110.0.2001
microsoftweb_deploy_4.0>= 10.0.2000 < 10.0.200110.0.2001
msrcweb_deploy_4.0

Detection & IOCsextracted from sources · hover to see the quote

path/msdeploy.axd
othermsdeploy.method: sync
othermsdeploy.syncoptions: h4sia
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER Microsoft IIS Web Deploy Remote Code Execution via Insecure Deserialization (CVE-2025-53772)"; flow:established,to_server; http.uri; content:"/msdeploy.axd"; startswith; http.header; to_lowercase; content:"msdeploy.method|3a 20|sync"; content:"msdeploy.syncoptions|3a 20|h4sia"; fast_pattern; reference:url,hawktrace.com/blog/cve-2025-53772; reference:cve,2025-53772; classtype:web-application-attack; sid:2065401; rev:1; metadata:affected_product Microsoft_IIS, attack_target Server, tls_state TLSDecrypt, created_at 2025_10_27, cve CVE_2025_53772, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit traffic targets the Web Deploy handler endpoint /msdeploy.axd at the start of the HTTP URI path (startswith match).
  • Malicious requests carry the HTTP header 'msdeploy.method: sync' (case-insensitive), indicating a sync operation used to trigger deserialization.
  • The fast-pattern anchor 'msdeploy.syncoptions: h4sia' in the HTTP header is the high-confidence distinguishing payload marker for this exploit.
  • The attack vector is an authenticated/authorized attacker sending a malicious HTTP request to the web server over the network.
  • Detection should be deployed at the perimeter, internally, and on TLS-decrypting inspection points (SSLDecrypt/TLSDecrypt) to cover encrypted traffic.
  • MITRE mapping: Initial Access (TA0001) via Exploit Public-Facing Application (T1190).
  • ·Exploitation requires an authenticated/authorized attacker — unauthenticated exploitation is not indicated, reducing exposure surface but not eliminating risk from compromised or insider accounts.
  • ·The Snort/Suricata rule (sid:2065401) requires TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to be effective against HTTPS-wrapped Web Deploy traffic; without SSL inspection the rule will not fire.
  • ·As of rule creation (2025-10-27), the vulnerability has not been publicly disclosed or actively exploited in the wild, but exploitation is rated 'Less Likely'.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.