Share via

Are Windows App Services using a WebDeploy version that's vulnerable to CVE-2025-53772?

Alexandre Ratte 20 Reputation points
2026-03-26T16:05:18.6266667+00:00

Good day, I'm trying to understand whether Azure App Service is actually vulnerable to CVE-2025-53772, or if the version numbers reported are misleading due to how Microsoft manages the platform.

An internal pen test flagged our App Service for this vulnerability, but I want to confirm whether this is a false positive or not.

Looking into the App Service's Kudu PowerShell, I can see that MsDeploy's file version is set to 7.1.1987.0 and HKLM:\SOFTWARE\Microsoft\IIS Extensions\MSDeploy only shows a key 3 with version 9.0.1987.0

Am I correct in assuming that WebDeploy v3 is used in Windows App Services and that this version is not vulnerable to that CVE?

Azure App Service
Azure App Service

Azure App Service is a service used to create and deploy scalable, mission-critical web apps.

Answer accepted by question author

  1. Praneeth Maddali 9,515 Reputation points Microsoft External Staff Moderator
    2026-03-26T16:22:25.68+00:00

    HI @Alexandre Ratte

    Thanks for reaching us and sharing the exact version details from your Kudu PowerShell session (MsDeploy file version 7.1.1987.0 and the registry key showing 9.0.1987.0). That context makes it really clear what's going on.

    To clarify, your Azure App Service is not affected by CVE-2025-53772. This detection is a common false positive that can occur during penetration testing of managed PaaS environments.

    Here's the explanation: Azure App Service on Windows uses the Kudu deployment engine, which relies on the older Web Deploy v3 components—the same version numbers you've noticed. The CVE in question only impacts Web Deploy 4.0 (specifically versions earlier than 10.0.2001) on self-hosted IIS servers. Since Microsoft manages and patches the App Service platform, the vulnerable Web Deploy 4.0 components are not present in this environment.

    reference:

    For future deployments to Azure App Service, we recommend using ZipDeploy (the modern, preferred method in Kudu) instead of legacy Web Deploy/MSDeploy wherever possible. This is fully supported in Azure DevOps, GitHub Actions, VS Code, and the Azure CLI.

    If the answer is helpful,  Please do click "Accept the answer” and Yes, this can be beneficial to other community members.

    If you have any other questions, let me know in the "comments" and I would be happy to help you

     

    Was this answer helpful?

    2 people found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.