Skip to main content

Microsoft Exchange Server CVE-2023-21529

HIGH
Deserialization of Untrusted Data (CWE-502)
2023-02-14 secure@microsoft.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Added to CISA KEV
Apr 13, 2026 - 18:57 CISA

DescriptionCVE.org

Microsoft Exchange Server Remote Code Execution Vulnerability

AnalysisAI

Remote code execution in Microsoft Exchange Server 2013, 2016, and 2019 allows authenticated attackers to execute arbitrary code on the server via insecure deserialization of untrusted data (CWE-502). The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, and carries an EPSS score of 36.68% (97th percentile), placing it among the highest-risk vulnerabilities. Successful exploitation yields full compromise of confidentiality, integrity, and availability on the targeted Exchange Server.

Technical ContextAI

Microsoft Exchange Server is an enterprise messaging and collaboration platform that exposes multiple network-facing services including Outlook Web Access, Exchange Web Services, and PowerShell remoting endpoints. The root cause is CWE-502 (Deserialization of Untrusted Data), a class of flaw where serialized object payloads received from a client are reconstructed by the server without sufficient type or integrity validation, enabling attacker-controlled gadget chains to execute arbitrary code during deserialization. The affected CPEs cover Exchange Server 2013 CU23, Exchange Server 2016 CU23, and Exchange Server 2019 CU11 and CU12, indicating the flaw resides in shared serialization logic across recent supported branches at the time of disclosure.

RemediationAI

Apply the Patch available per vendor advisory by installing Microsoft's February 2023 security updates for Exchange Server on all affected branches - specifically the security updates for Exchange Server 2013 CU23, Exchange Server 2016 CU23, and Exchange Server 2019 CU11 and CU12 as listed in the Microsoft Security Update Guide entry for CVE-2023-21529. Because exact fix KB identifiers were not provided in the input data, do not substitute invented version numbers; pull the current build numbers directly from the MSRC advisory and verify post-patch using Get-ExchangeServer / HealthChecker. Where immediate patching is impossible, compensating controls include restricting external exposure of OWA, ECP, and EWS endpoints to a VPN or zero-trust gateway (side effect: breaks external mobile and Outlook Anywhere clients), enforcing Extended Protection for Authentication on Exchange virtual directories (side effect: may break legacy or proxied clients until reconfigured), tightening egress filtering from Exchange servers to inhibit post-exploitation C2, and rotating service-account and admin credentials given the credential-theft risk. Disabling Exchange entirely is not a realistic option for most environments, so patching remains the only durable fix.

Share

CVE-2023-21529 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy