PoC Exploit Released for IIS WebDeploy Remote Code Execution Vulnerability

Cybersecurity

A proof-of-concept exploit for CVE-2025-53772, a critical remote code execution (RCE) vulnerability in Microsoft’s IIS Web Deploy tool, has been released. This vulnerability impacts the .NET and DevOps communities significantly.

Technical Details

The vulnerability is due to unsafe deserialization of HTTP header contents in the msdeployagentservice and msdeploy.axd endpoints. It allows authenticated attackers to execute arbitrary code on target servers. The exploit leverages the MSDeploy.SyncOptions header to initiate commands.

Key Points

• Vulnerability: IIS Web Deploy deserialization RCE
• CVSS Score: 8.8 (High)
• Mitigation: Disable the Web Deploy Agent, restrict access, and apply patches

Exploit Mechanism

The vulnerability involves a deserialization routine that lacks robust input validation. It processes a Base64-encoded, GZip-compressed payload from the MSDeploy.SyncOptions HTTP header. The process of decoding, followed by GZip decompression and deserialization, fails to enforce type whitelisting, allowing malicious payloads to execute arbitrary commands.

An example exploit involves crafting a SortedSet<string> object backed by a manipulated MulticastDelegate invocation list, which triggers process execution, leading to remote code execution.

Risk Factors

Mitigation Strategies

To mitigate this vulnerability, it is recommended to disable the Web Deploy Agent Service (MsDepSvc), enforce strict network access control lists (ACLs) on the msdeploy.axd endpoint, and apply inbound filtering to block unexpected MSDeploy.SyncOptions headers. Long-term remediation involves replacing BinaryFormatter with a secure serializer and validating all header inputs before deserialization.

Organizations utilizing IIS Web Deploy are urged to prioritize patching and hardening to prevent exploitation of this critical RCE vector.