CVE-2023-21529
Published: 14 February 2023
Summary
CVE-2023-21529 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Microsoft Exchange Server. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 3.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-21529 is a remote code execution vulnerability in Microsoft Exchange Server that arises from unsafe deserialization of untrusted data, tracked under CWE-502. The flaw received a CVSS 3.1 base score of 8.8, driven by network attack vector, low attack complexity, and low privileges required, with high impact across confidentiality, integrity, and availability.
An authenticated attacker with low privileges can send specially crafted requests over the network to trigger arbitrary code execution on the Exchange server, enabling full control of the affected system without user interaction.
Microsoft security updates address the issue through the MSRC guidance portal, while CISA lists the CVE in its catalog of known exploited vulnerabilities, indicating that organizations should apply available patches as a priority.
The associated EPSS score reached a peak of 0.3668 and remains at 0.2704, and the vulnerability has been observed in active ransomware operations conducted by Storm-1175 against internet-facing assets.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-25697
Vulnerability details
Microsoft Exchange Server Remote Code Execution Vulnerability
- CWE(s)
- KEV Date Added
- 13 April 2026
Related Threats
Threat-Actor AttributionAI
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of vendor patches that remediate the deserialization flaw before exploitation occurs.
Enforces validation and sanitization of untrusted data to block unsafe deserialization that leads to arbitrary code execution.
Restricts privileges of authenticated accounts so that even successful deserialization yields limited system control.