Microsoft has shipped a fix for a serious bug in IIS Web Deploy that could let attackers take over servers with almost no effort. Tracked as CVE-2025-53772, the flaw scores 8.8 on the CVSS scale and comes down to the classic mistake of deserializing untrusted data — the kind of error that often leads straight to remote code execution.
The target here is Web Deploy, Microsoft’s publishing tool for pushing apps and content to IIS servers. Versions before 10.0.2001 are affected, and exploitation is worryingly simple: it’s network-based, low complexity, and requires no user interaction. If an attacker gets a foothold, they can run arbitrary code — potentially as SYSTEM, the highest-level Windows account — effectively owning the deployment pipeline.
That puts three things on the chopping block: confidentiality, integrity, and availability. In other words, data theft, tampering, or a full server crash are all on the table.
Microsoft and security researchers say admins should:
- Patch now by upgrading to Web Deploy 10.0.2001 or later.
- Lock down access to Web Deploy endpoints and only allow trusted accounts.
- Audit logs for strange deployment activity, since exploitation leaves traces in authentication and pipeline logs.
- Add defense-in-depth controls like firewalls or segmentation, so the tool isn’t directly exposed to the internet.
This isn’t the only IIS-related headache right now. A parallel bug in SharePoint’s ToolShell (CVE-2025-53770) also abuses deserialization to drop web shells, forcing admins to rotate machine keys and restart IIS. Taken together, it points to a troubling trend: deserialization flaws in Microsoft’s web stack that are trivial to exploit and very hard to detect once someone’s inside.