CVE-2023-21529
CVE-2023-21529 is a high-severity vulnerability in Microsoft Exchange Server with a CVSS 3.x base score of 8.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2026-04-13). The underlying weakness is classified as CWE-502.
Key facts
- Severity: High (CVSS 3.x base score 8.8)
- EPSS exploit prediction: 62% (99th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2026-04-13)
- EU (EUVD) id: EUVD-2023-25697
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2026-04-13)
- Weakness: CWE-502
- Affected product: Microsoft Exchange Server
- Published:
- Last modified:
Description
Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2023-21529: Microsoft Exchange Server Deserialization RCE Abused in Medusa Ransomware Campaigns
AI-generated analysis based on the vulnerability data on this page.
Summary
CVE-2023-21529 is a remote code execution vulnerability in Microsoft Exchange Server caused by improper deserialization of untrusted data (CWE-502). An attacker with low-privileged network access can execute arbitrary code on the target server without user interaction. The vulnerability carries a CVSS v3 score of 8.8 and has been listed in CISA's Known Exploited Vulnerabilities catalog, with confirmed exploitation linked to Medusa ransomware operations.
Background
Microsoft Exchange Server remains a high-value target for threat actors due to its central role in enterprise email and calendaring. Vulnerabilities in Exchange often provide an entry point for broader network compromise, data exfiltration, and ransomware deployment. CVE-2023-21529 was disclosed as part of Microsoft's February 2023 Patch Tuesday and initially treated as a standard authenticated RCE; however, its exploitation profile has escalated significantly following confirmed in-the-wild abuse.
Root Cause
The underlying weakness is classified as CWE-502: Deserialization of Untrusted Data. During request processing, Exchange deserializes attacker-controlled input without adequate validation or type checking. This allows the submission of malicious serialized objects that, when deserialized, trigger code execution within the server's security context. The flaw is reachable over the network and does not require administrative privileges or user interaction, making it an attractive target for both opportunistic and targeted threat actors.
Impact
The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H describes the scope of impact:
- Attack Vector (AV): Network — Exploitable remotely across the internet or internal network.
- Attack Complexity (AC): Low — No special conditions or advanced techniques are required.
- Privileges Required (PR): Low — A valid, low-privileged account is sufficient.
- User Interaction (UI): None — No victim interaction is needed.
- Scope (S): Unchanged — The vulnerable component is the impacted component.
- Confidentiality, Integrity, Availability (C/I/A): High — Successful exploitation grants full control over the Exchange server, enabling data theft, email tampering, lateral movement, and service disruption.
Exploitation Walkthrough
Defensive perspective only. The following describes observable attack behavior to aid detection and mitigation; it does not provide weaponized exploit code.
Threat actors with valid credentials authenticate to the Exchange environment and send crafted HTTP requests containing malicious serialized payloads to vulnerable endpoints. During deserialization, the payload executes within the Exchange worker process, granting the attacker code execution at the application level. From this foothold, operators commonly:
- Deploy web shells for persistent access
- Perform credential dumping and lateral movement
- Exfiltrate mailbox data and sensitive attachments
- Stage ransomware payloads, as observed in Medusa ransomware incidents
Ethics caveat: This description is limited to defensive understanding. Attempting to reproduce exploitation on systems without explicit authorization is illegal and unethical.
Affected and Patched Versions
The following Exchange Server configurations are known to be vulnerable based on CPE data:
- Microsoft Exchange Server 2013 — Cumulative Update 23
- Microsoft Exchange Server 2016 — Cumulative Update 23
- Microsoft Exchange Server 2019 — Cumulative Update 11
- Microsoft Exchange Server 2019 — Cumulative Update 12
Administrators should verify their current build against the Microsoft Update Guide and apply the appropriate security update. Out-of-support versions (such as Exchange 2013) require migration to a supported platform rather than patching.
Remediation
- Apply security updates. Microsoft released patches for supported Exchange versions. Prioritize patching externally facing Exchange servers.
- Compensating controls. If immediate patching is not feasible:
- Restrict network access to Exchange Admin Center and Remote PowerShell to trusted administrative hosts only.
- Enable multifactor authentication (MFA) for all Exchange administrative accounts to raise the barrier for the low-privilege prerequisite.
- Place Exchange behind a reverse proxy or Web Application Firewall (WAF) with strict request inspection and rate limiting.
- Disable unnecessary Exchange services and endpoints that are not required for business operations.
- Architecture hardening. Consider transitioning to Exchange Online or implementing Exchange Hybrid with reduced on-premises footprint to minimize attack surface.
Detection
Security teams should monitor for:
- Unusual serialized object patterns in HTTP requests to Exchange endpoints (e.g., unexpected
__typeorObjectStateFormatter-like payloads) - Anomalous PowerShell or web shell activity originating from Exchange worker processes
- Unexpected file writes in Exchange web directories (
\inetpub\wwwroot,\FrontEnd\HttpProxy) - Lateral movement indicators (PsExec, WMI exec, RDP) following authentication from Exchange service accounts
- Mailbox export requests or unusual mailbox access patterns by non-administrative users
Deploy endpoint detection and response (EDR) rules targeting deserialization abuse in ASP.NET and Exchange application pools.
Assessment
With an EPSS score of 0.62104 (99.075th percentile) and confirmed KEV listing as of 13 April 2026, CVE-2023-21529 represents an acute, high-probability threat. The linkage to Medusa ransomware operations underscores that this is not a theoretical risk: threat actors are actively leveraging it for initial access and follow-on encryption. The low attack complexity and network reachability mean that any unpatched, internet-facing Exchange instance with valid credentials is at imminent risk.
Key lessons:
- Deserialization flaws in privileged enterprise applications continue to be prime targets for ransomware affiliates.
- Timely patching of Exchange must be treated as a critical-path operational requirement, not a routine maintenance task.
- MFA and strict network segmentation remain essential compensating controls even when patches are available.
References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21529
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-21529
- https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/
Frequently asked questions
- What is CVE-2023-21529?
- Microsoft Exchange Server Remote Code Execution Vulnerability
- How severe is CVE-2023-21529?
- CVE-2023-21529 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2023-21529 being actively exploited?
- Yes. CVE-2023-21529 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2026-04-13, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2023-21529?
- CVE-2023-21529 primarily affects Microsoft Exchange Server. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-21529?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2023-21529 have an EU (EUVD) identifier?
- Yes. CVE-2023-21529 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-25697. It is also flagged as exploited in the EUVD (since 2026-04-13).
- When was CVE-2023-21529 published?
- CVE-2023-21529 was published on 2023-02-14 and last updated on 2026-06-17.
References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21529
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-21529
- https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/
Affected products (4)
- cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_23:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_11:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_12:*:*:*:*:*:*
More vulnerabilities in Microsoft Exchange Server
- CVE-2007-0213 — Critical (CVSS 10.0): Microsoft Exchange Server 2000 SP3, 2003 SP1 and SP2, and 2007 does not properly decode certain MIME encoded e-mails,…
- CVE-2004-0574 — Critical (CVSS 10.0): The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows…
- CVE-2004-0840 — Critical (CVSS 10.0): The SMTP (Simple Mail Transfer Protocol) component of Microsoft Windows XP 64-bit Edition, Windows Server 2003, Windows…
- CVE-1999-0385 — Critical (CVSS 10.0): The LDAP bind function in Exchange 5.5 has a buffer overflow that allows a remote attacker to conduct a denial of…
- CVE-2024-21410 — Critical (CVSS 9.8): Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2023-21709 — Critical (CVSS 9.8): Microsoft Exchange Server Elevation of Privilege Vulnerability
All CVEs affecting Microsoft Exchange Server →
Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities
- CVE-2026-41104 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose…
- CVE-2026-43633 — Critical (CVSS 10.0): HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a…
- CVE-2026-33819 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
- CVE-2026-20131 — Critical (CVSS 10.0): A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could…
- CVE-2026-25632 — Critical (CVSS 10.0): EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water…
- CVE-2025-14931 — Critical (CVSS 10.0): Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability.…
Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →