A proof-of-concept exploit for CVE-2025-53772, a crucial distant code execution vulnerability in Microsoft’s IIS Internet Deploy (msdeploy) software, was printed this week, elevating pressing alarms throughout the .NET and DevOps communities.
The flaw resides within the unsafe deserialization of HTTP header contents in each the msdeployagentservice and msdeploy.axd endpoints, enabling authenticated attackers to execute arbitrary code on course servers.
Key Takeaways1. IIS Internet Deploy deserialization RCE (CVSS 8.8)2. PoC makes use of MSDeploy.SyncOptions header to spawn commands3. Mitigate by disabling agent, tightening entry, and patching
Proof-of-Idea for IIS WebDeploy RCE Flaw
On the coronary heart of CVE-2025-53772 is a customized deserialization routine that neglects sturdy enter validation.
Hawktrace experiences that the susceptible code path processes a Base64-encoded, GZip-compressed payload taken from the MSDeploy.SyncOptions HTTP header.
The sequence Base64 decoding adopted by GZip decompression and BinaryFormatter.Deserialize() fails to implement kind whitelisting, permitting malicious payloads to instantiate harmful objects.
Particularly, crafting a SortedSet object backed by a manipulated MulticastDelegate invocation checklist triggers Course of the beginning, resulting in distant code execution.
The publicly accessible PoC demonstrates how an attacker can abuse .NET’s serialization mechanics:
Sending this payload in an HTTP POST to /msdeploy.axd ends in calc.exe launching on the server.
Danger FactorsDetailsAffected ProductsMicrosoft Internet Deploy (msdeployagentservice & msdeploy.axd)ImpactRemote Code Execution (RCE)Exploit PrerequisitesAuthenticated Internet Deploy person; community entry to deployment endpoint; capacity to ship crafted HTTP headersCVSS 3.1 Score8.8 (Excessive)
Mitigation
Microsoft has assigned a CVSS rating of 8.8 for CVE-2025-53772. Instant mitigation steps embrace disabling the Internet Deploy Agent Service (MsDepSvc), implementing strict community ACLs on the msdeploy.axd endpoint, and making use of inbound filtering to dam surprising MSDeploy.SyncOptions headers.
Lengthy-term remediation requires changing BinaryFormatter with a safe serializer (e.g., DataContractSerializer with specific kind contracts) and validating all header inputs earlier than deserialization.
As PoC exploits flow into, organizations that leverage IIS Internet Deploy should prioritize patching and hardening to stop authenticated attackers from exploiting this crucial RCE vector.
Discover this Story Fascinating! Observe us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates.
