Microsoft Exchange Server
CVE-2023-21529
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Microsoft Exchange Server Remote Code Execution Vulnerability
AnalysisAI
Remote code execution in Microsoft Exchange Server 2013, 2016, and 2019 allows authenticated attackers to execute arbitrary code on the server via insecure deserialization of untrusted data (CWE-502). The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, and carries an EPSS score of 36.68% (97th percentile), placing it among the highest-risk vulnerabilities. Successful exploitation yields full compromise of confidentiality, integrity, and availability on the targeted Exchange Server.
Technical ContextAI
Microsoft Exchange Server is an enterprise messaging and collaboration platform that exposes multiple network-facing services including Outlook Web Access, Exchange Web Services, and PowerShell remoting endpoints. The root cause is CWE-502 (Deserialization of Untrusted Data), a class of flaw where serialized object payloads received from a client are reconstructed by the server without sufficient type or integrity validation, enabling attacker-controlled gadget chains to execute arbitrary code during deserialization. The affected CPEs cover Exchange Server 2013 CU23, Exchange Server 2016 CU23, and Exchange Server 2019 CU11 and CU12, indicating the flaw resides in shared serialization logic across recent supported branches at the time of disclosure.
RemediationAI
Apply the Patch available per vendor advisory by installing Microsoft's February 2023 security updates for Exchange Server on all affected branches - specifically the security updates for Exchange Server 2013 CU23, Exchange Server 2016 CU23, and Exchange Server 2019 CU11 and CU12 as listed in the Microsoft Security Update Guide entry for CVE-2023-21529. Because exact fix KB identifiers were not provided in the input data, do not substitute invented version numbers; pull the current build numbers directly from the MSRC advisory and verify post-patch using Get-ExchangeServer / HealthChecker. Where immediate patching is impossible, compensating controls include restricting external exposure of OWA, ECP, and EWS endpoints to a VPN or zero-trust gateway (side effect: breaks external mobile and Outlook Anywhere clients), enforcing Extended Protection for Authentication on Exchange virtual directories (side effect: may break legacy or proxied clients until reconfigured), tightening egress filtering from Exchange servers to inhibit post-exploitation C2, and rotating service-account and admin credentials given the credential-theft risk. Disabling Exchange entirely is not a realistic option for most environments, so patching remains the only durable fix.
Same weakness CWE-502 – Deserialization of Untrusted Data
View allShare
External POC / Exploit Code
Leaving vuln.today