CVE-2025-53772

HIGH EXPLOITED

Web Deploy 4.0 < 10.0.2001 - Authenticated Remote Code Execution via Untrusted Data Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-53772 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including sailay1996, Momollax, go-bi.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2025-53772, targeting Microsoft Web Deploy for remote code execution (RCE). The exploit uses a patched payload template with proper command injection and supports both NTLM and Basic authentication.

Description

Deserialization of untrusted data in Web Deploy allows an authorized attacker to execute code over a network.

Exploits (4)

nomisec WORKING POC 46 stars
by sailay1996 · poc
https://github.com/sailay1996/CVE-2025-53772

This repository contains a functional Python exploit for CVE-2025-53772, targeting Microsoft Web Deploy for remote code execution (RCE). The exploit uses a patched payload template with proper command injection and supports both NTLM and Basic authentication.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Web Deploy
Auth required
Prerequisites: Target with Microsoft Web Deploy installed · Valid credentials for authentication · Network access to the target
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 5 stars
by Momollax · remote-auth
https://github.com/Momollax/CVE-2025-53772-IIS-WebDeploy-RCE

This repository contains a functional PoC exploit for CVE-2025-53772, leveraging unsafe deserialization in IIS WebDeploy to achieve remote code execution. The exploit uses a crafted SortedSet with a manipulated Comparison delegate to trigger arbitrary command execution during deserialization.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: IIS WebDeploy (multiple versions)
No auth needed
Prerequisites: Vulnerable IIS WebDeploy endpoint accessible · Ability to send crafted serialized payloads
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SUSPICIOUS
by go-bi · poc
https://github.com/go-bi/CVE-2025-53772-

The repository contains no exploit code, only a README with external download links and references to unrelated articles. It lacks technical details about CVE-2025-53772 and appears to be a lure for external downloads.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 19, 2026 Full analysis →
patchapalooza WORKING POC
by sailay1996 · remote-auth
https://github.com/sailay1996/CVE-2025-53772-standalone

This repository contains a functional Python exploit for CVE-2025-53772, targeting Microsoft Web Deploy for remote code execution. The exploit uses a patched payload template with proper command injection and supports both NTLM and Basic authentication.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Web Deploy
Auth required
Prerequisites: valid credentials · Web Deploy service accessible · NTLM or Basic authentication enabled
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 8.8
EPSS 0.1571
EPSS Percentile 94.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

VulnCheck KEV 2025-10-07
CWE
CWE-502
Status published
Products (1)
microsoft/web_deploy_4.0 < 10.0.2001
Published Aug 12, 2025
Tracked Since Feb 18, 2026