A high-severity deserialization vulnerability in Microsoft Exchange Server enables authenticated attackers to achieve remote code execution, and CISA has confirmed active exploitation tied to ransomware activity.
What Is It
CVE-2023-21529 is a remote code execution vulnerability in Microsoft Exchange Server caused by deserialization of untrusted data (CWE-502). An authenticated attacker can send a crafted request to trigger unsafe deserialization, gaining the ability to execute code on the Exchange host. The flaw carries a CVSS 3.1 base score of 8.8 (HIGH) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, network-reachable, low complexity, requires low privileges, no user interaction, and full impact on confidentiality, integrity, and availability.
Why It Matters
CISA added CVE-2023-21529 to the Known Exploited Vulnerabilities catalog on 2026-04-13, confirming exploitation in the wild. The KEV entry flags it as having known ransomware campaign use. Microsoft's threat intelligence ties exploitation to Storm-1175, which has focused on vulnerable web-facing assets in high-tempo Medusa ransomware operations. Exchange remains a high-value target because successful RCE on a mail server typically yields a foothold into the broader enterprise identity and messaging fabric.
What's Vulnerable
Per the NVD CPE configuration, the following Microsoft Exchange Server builds are affected:
- Exchange Server 2013 Cumulative Update 23
- Exchange Server 2016 Cumulative Update 23
- Exchange Server 2019 Cumulative Update 11
- Exchange Server 2019 Cumulative Update 12
Exploitation requires authentication (PR:L), but on Exchange that bar is routinely cleared via phished or sprayed mailbox credentials.
Patch Status
Microsoft published a vendor advisory and patch under MSRC for CVE-2023-21529 (originally disclosed 2023-02-14). CISA's required action under BOD 22-01 is to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The remediation due date for federal civilian agencies is 2026-04-27. Private sector defenders running any of the affected CU levels should treat that date as the outer bound, not the goal.