Microsoft has issued a high-priority security advisory for a deserialization vulnerability in its Web Deploy tool that could give authenticated attackers the ability to execute arbitrary code on Windows servers running IIS. The vulnerability, tracked as CVE-2025-53772, affects the Web Deployment Handler—commonly exposed on port 8172—and poses a serious risk to organizations that rely on remote deployment workflows. While the flaw requires an authenticated user, the combination of weak credentials, over-permissive delegation, and internet-exposed management endpoints makes exploitation highly likely in poorly secured environments. The advisory urges immediate patching and details temporary mitigations to reduce exposure until fixes can be applied.
What is Web Deploy and Why Is It Vulnerable?
Web Deploy (MSDeploy) is a Microsoft tool that integrates with IIS's Web Management Service (WMSvc) to enable remote publishing, synchronization, and configuration of web applications. According to official documentation, the handler listens on HTTPS port 8172 at the /MSDeploy.axd endpoint, accepting deployment requests from authenticated users. To allow remote management, administrators must enable WMSvc, create IIS Manager or Windows accounts, and configure delegation rules that define what operations each user can perform. This design is convenient for CI/CD pipelines and developer access, but it also creates an attractive attack surface when not properly hardened.
CVE-2025-53772 stems from unsafe deserialization of untrusted data within the Web Deploy code path. When processing specially crafted deployment requests, the handler may deserialize attacker-supplied binary payloads without adequate type checking or validation. This is a classic deserialization vulnerability: an attacker constructs a malicious object graph—known as a "gadget chain"—that, when deserialized, triggers arbitrary behavior such as spawning processes, executing commands, or manipulating files. Because the vulnerable component runs with high privileges, successful exploitation grants code execution in the context of the w3wp.exe worker process or the msdeploy executable.
Attack Scenarios and Real-World Impact
An attacker needs only a valid Web Deploy account to reach the handler. Credential theft via phishing, credential stuffing, or brute force is often enough to gain a foothold. Once authenticated, the attacker sends a crafted deployment request that includes a malicious serialized payload. When the server processes this request, deserialization leads to remote code execution with the privileges of the application pool identity. From there, the attacker can:
- Drop web shells or backdoors into inetpub directories.
- Harvest credentials from memory or disk.
- Move laterally to other systems on the domain.
- Establish persistence through scheduled tasks, services, or in-memory loaders.
Because Web Deploy is a management channel, the attacker can also modify server configurations, deploy malicious content, and exfiltrate sensitive data. The advisory notes that exploitation can be completely fileless, making detection challenging without proper logging and EDR tooling. Security researchers have long warned about the dangers of exposing management endpoints online, and CVE-2025-53772 exemplifies why such surfaces must be aggressively protected.
Which Systems Are Affected?
Any server running the Web Deployment Tool with the WMSvc enabled and remote connections allowed is vulnerable. This includes IIS 7 and later on Windows Server 2008 through the latest releases. The default configuration often uses basic or Windows authentication, and many organizations leave port 8172 open to the internet or accessible from broad internal networks—placing these systems at heightened risk. The official configuration guide describes how to set up delegated users with limited permissions, but in practice, many deployments rely on permissive rules that grant wide-ranging access to content, databases, and even server-level settings.
Immediate Actions: Patch and Mitigate
Microsoft has released a security update that modifies the vulnerable deserialization logic. All users of Web Deploy must apply this patch immediately. The update is available via Windows Update, the Microsoft Update Catalog, and a standalone download from the Download Center. Prioritize internet-facing hosts and any servers used in production deployment pipelines. Before rolling out, test the patch in a staging environment to avoid disruption.
If patching cannot be completed within 24 to 72 hours, implement the following network-level mitigations:
- Block or whitelist port 8172 at the perimeter firewall, host firewall, or cloud security groups. Allow only known CI/CD server IPs.
- Disable the Web Management Service on servers that do not require remote deployment capabilities. Stop and disable the WMSvc service.
- Rotate all deployment credentials and enforce strong, unique passwords. Where possible, enable multi-factor authentication for administrative accounts that manage web servers.
- Review and tighten delegation rules in IIS Manager. Limit user access to specific sites and providers; avoid granting server-wide permissions unless absolutely necessary.
Detecting Exploitation Attempts
The security community has contributed detailed detection strategies that should be deployed immediately. Focus on these key areas:
IIS and WMSvc Logs
Search for POST requests to /MSDeploy.axd on port 8172 from unexpected source IPs or outside normal deployment windows. Use a SIEM query like:
index=web sourcetype=iis | search cs_uri_stem="/MSDeploy.axd" OR cs_uri_stem="/msdeploy.axd" | stats count by src_ip, cs_uri_stem, cs_method, date_hour
Process Monitoring
Use Sysmon Event ID 1 to detect suspicious child processes spawned by w3wp.exe or msdeploy.exe. Look for cmd.exe, powershell.exe, rundll32.exe, or regsvr32.exe with base64-encoded command lines. An example Sigma rule skeleton:
title: Suspicious POST to MSDeploy Handler with Potential Deserialization Payload
detection:
selection:
EventID: 3
cs_method: "POST"
cs_uri_stem|contains: "MSDeploy.axd"
cs_user_agent|contains:
- "msdeploy"
- "WebDeploy"
condition: selection
level: high
File System Changes
Monitor inetpub directories for newly created or modified .aspx, .ashx, or .asmx files. Look for unusual timestamps, random file names, or files placed outside known application folders. Also check for unexpected scheduled tasks or Windows services that may indicate persistence.
WMSvc Tracing
Enable WMSvc tracing logs (stored by default in %systemdrive%\inetpub\logs\wmsvc\tracinglogfiles\w3svc1). Examine these for failed authorization attempts, unusual provider usage, or requests containing binary or encoded content.
Incident Response If Compromised
If you confirm active exploitation, take these steps immediately:
1. Isolate the affected host from the network to contain the attack, but preserve forensic evidence. Do not power off the machine until memory and disk images are captured.
2. Collect memory dumps, disk images, and all relevant logs (IIS, WMSvc, Windows Event, Sysmon).
3. Rotate all credentials used on the compromised host, including deployment accounts, service accounts, and any credentials that may have been cached.
4. After thorough forensic analysis, rebuild the server from a known-good image. Do not trust in-place remediation, as fileless payloads may be missed.
5. Notify stakeholders and follow your organization's breach notification procedures.
Long-Term Hardening Beyond Patching
Even after applying the fix, adopt these practices to reduce future risk:
- Network segmentation: Place Web Deploy endpoints on dedicated management VLANs with strict access controls.
- Least privilege: Use per-site delegated accounts with the narrowest possible permissions. Avoid reusing accounts across multiple sites.
- Credential hygiene: Enforce strong passwords and use managed identities or certificate-based authentication where possible.
- Monitoring: Forward WMSvc and IIS logs to a central SIEM and create rules for anomalous deployment activity.
- Code safety: Discourage the use of unsafe serializers like BinaryFormatter in custom applications. Encourage developers to adopt safe serialization patterns (e.g., JSON with type whitelisting).
Official Resources
Conclusion
CVE-2025-53772 is a stark reminder that remote management interfaces must be treated as critical attack surfaces. Even with authentication requirements, deserialization flaws can give attackers a direct path to code execution and full server compromise. By patching promptly, deploying robust detection, and adopting a defense-in-depth posture, organizations can protect their IIS environments from this high-severity threat. The time to act is now—isolate those endpoints, apply the update, and hunt for signs of past exploitation before adversaries make the first move.