VTA-004533 – Microsoft Warns of Critical IIS Web Deploy Flaw Enabling Remote Code Execution

On August 12, 2025, Microsoft disclosed CVE-2025-53772, a critical vulnerability in its IIS Web Deploy tool with a CVSS score of 8.8, caused by improper deserialization of untrusted data (CWE-502). The flaw allows authenticated attackers with low privileges to remotely execute arbitrary code, potentially taking full control of affected systems without user interaction.

Since Web Deploy is widely used for automating deployments in enterprise IIS environments, the risk is high, impacting confidentiality, integrity, and availability. Microsoft is preparing a patch, and organizations are urged to monitor advisories, promptly apply updates, restrict network access to Web Deploy services, and review access controls to mitigate exposure.

Severity:
Medium

Attack Surface:
Cloud Service, Endpoint OS, File Transfer, Infrastructure

Tactics:
Execution, Initial Access, Privilege Escalation

Techniques:
T1190 – Exploit Public-Facing Application
T1203 – Exploitation for Client Execution
T1059 – Command and Scripting Interpreter
T1078 – Valid Accounts

Indicator of Compromise :
1. https://otx.alienvault.com/pulse/689e4849389d124bdbcc5ebe

References:
1. https://gbhackers.com/microsoft-iis-web-deploy-vulnerability/

SuperPRO’s Threat Countermeasures Procedures:
1. Update Web Deploy to v4.0 (includes CVE-2025-53772 fix).
2. Confirm no outdated Web Deploy installations (e.g., from Visual Studio) remain.
3. Ensure all Windows/IIS servers receive August 2025 Patch Tuesday updates targeting Web Deploy.
4. Restrict Web Deploy access via firewall—only allow from approved IP ranges.
5. Enforce authenticated access to Web Deploy APIs.
6. Place web content on a non-OS volume and enforce restrictive NTFS permissions.
7. Deploy WAF protection.

Contributed by: Haziq