Cyber Resilience

CVE-2023-21529

HighCISA KEVActive ExploitationEUVD ExploitedRansomware-linkedRCE

Published: 14 February 2023

Published
14 February 2023
Modified
14 April 2026
KEV Added
13 April 2026
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2704 96.5th percentile
Risk Priority 54 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-21529 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft Exchange Server. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 3.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-21529 is a remote code execution vulnerability in Microsoft Exchange Server that arises from unsafe deserialization of untrusted data, tracked under CWE-502. The flaw received a CVSS 3.1 base score of 8.8, driven by network attack vector, low attack complexity, and low privileges required, with high impact across confidentiality, integrity, and availability.

An authenticated attacker with low privileges can send specially crafted requests over the network to trigger arbitrary code execution on the Exchange server, enabling full control of the affected system without user interaction.

Microsoft security updates address the issue through the MSRC guidance portal, while CISA lists the CVE in its catalog of known exploited vulnerabilities, indicating that organizations should apply available patches as a priority.

The associated EPSS score reached a peak of 0.3668 and remains at 0.2704, and the vulnerability has been observed in active ransomware operations conducted by Storm-1175 against internet-facing assets.

EU & UK References

Vulnerability details

Microsoft Exchange Server Remote Code Execution Vulnerability

CWE(s)
KEV Date Added
13 April 2026

Related Threats

Threat-Actor AttributionAI

STORM-1175
Microsoft attributes exploitation of this Exchange RCE in Medusa ransomware operations to STORM-1175 (2024 blog).
Medusa
Ransomware family whose operators (STORM-1175) exploited CVE-2023-21529 per Microsoft reporting.

Affected Assets

microsoft
exchange server
2013, 2016, 2019

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches that remediate the deserialization flaw before exploitation occurs.

prevent

Enforces validation and sanitization of untrusted data to block unsafe deserialization that leads to arbitrary code execution.

prevent

Restricts privileges of authenticated accounts so that even successful deserialization yields limited system control.

References