CVE-2023-21529
published 2023-02-14CVE-2023-21529: Microsoft Exchange Server Remote Code Execution Vulnerability
PriorityP195high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2026-04-27
Exploited in the wild
EPSS
62.10%
99.1th percentile
Microsoft Exchange Server Remote Code Execution Vulnerability
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | exchange_server | — | — |
| microsoft | exchange_server | — | — |
| microsoft | exchange_server | — | — |
| microsoft | microsoft_exchange_server_2013_cumulative_update_23 | >= 15.00.0 < 15.00.1497.047 | 15.00.1497.047 |
| microsoft | microsoft_exchange_server_2016_cumulative_update_23 | >= 15.01.0 < 15.01.2507.021 | 15.01.2507.021 |
| microsoft | microsoft_exchange_server_2019_cumulative_update_11 | >= 15.02.0 < 15.02.0986.041 | 15.02.0986.041 |
| microsoft | microsoft_exchange_server_2019_cumulative_update_12 | >= 15.02.0 < 15.02.1118.025 | 15.02.1118.025 |
| msrc | microsoft_exchange_server_2013_cumulative_update_23 | — | — |
| msrc | microsoft_exchange_server_2016_cumulative_update_23 | — | — |
| msrc | microsoft_exchange_server_2019_cumulative_update_11 | — | — |
| msrc | microsoft_exchange_server_2019_cumulative_update_12 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for authenticated network calls to Exchange Server that may attempt to trigger deserialization of untrusted data, potentially leading to code execution in the context of the server account (SYSTEM). ↗
- →Watch for SSRF bypass attempts against Exchange, as prior ProxyNotShell-style SSRF weaknesses have been chained with authenticated RCE vulnerabilities to bypass authentication constraints — similar patterns may emerge for CVE-2023-21529. ↗
- →Monitor for Exchange credential brute-force activity, as attackers need valid authentication to exploit CVE-2023-21529 and may attempt brute-force to satisfy this prerequisite. ↗
- →CVE-2023-21529 is a deserialization of untrusted data vulnerability; monitor Exchange Server for anomalous deserialization-related activity or unexpected process spawning from Exchange worker processes. ↗
- ·No public proof-of-concept exploit existed at time of initial disclosure; exploitation is assessed as targeted/stealthy rather than mass exploitation, so high-volume scanning signatures alone may miss attacks. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
cisa8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability
cisa·2026-04-13·CVSS 8.8
CVE-2023-21529 [HIGH] CWE-502 Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability
Vulnerability: Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability
Affected: Microsoft Exchange Server
Microsoft Exchange Server contains a deserialization of untrusted data that allows an authenticated attacker to achieve remote code execution.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21529 ; https://nvd.nist.gov/vuln/detail/CVE-2023-21529
Remediation Due Date: 2026-04-27
Microsoft
Microsoft Exchange Server Remote Code Execution Vulnerability
vendor_msrc·2023-02-14·CVSS 8.8
CVE-2023-21529 [HIGH] CWE-502 Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
FAQ: According to the CVSS metric, the attack vector is network (AV:N) and the user interaction is none (UI:N). What is the target used in the context of the remote code execution?
The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call.
FAQ: According to the CVSS metric, privileges required is low (PR:L). Does the attacker need to be in an authenticated role on the Exchange Server?
Yes, the attacker must be authenticated.
Microsoft Exchange Server: Microsoft Exchange Server
Microsoft: Microsoft
Customer Action Required: Yes
Impac
VulDB
Microsoft Exchange Server 2013 CU23/2016 CU23/2019 CU11/2019 CU12 privilege escalation
vuldb·2026-04-13·CVSS 8.8
CVE-2023-21529 [HIGH] Microsoft Exchange Server 2013 CU23/2016 CU23/2019 CU11/2019 CU12 privilege escalation
A vulnerability categorized as very critical has been discovered in Microsoft Exchange Server 2013 CU23/2016 CU23/2019 CU11/2019 CU12. Affected is an unknown function. The manipulation results in privilege escalation.
This vulnerability is identified as CVE-2023-21529. The attack can be executed remotely. Additionally, an exploit exists.
It is advisable to implement a patch to correct this issue.
GHSA
GHSA-hjxr-gv9h-rjxc: Microsoft Exchange Server Remote Code Execution Vulnerability
ghsa_unreviewed·2023-02-14
CVE-2023-21529 [HIGH] GHSA-hjxr-gv9h-rjxc: Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
VulnCheck
Microsoft Exchange Server Deserialization of Untrusted Data
vulncheck·2023·CVSS 8.8
CVE-2023-21529 [HIGH] Microsoft Exchange Server Deserialization of Untrusted Data
Microsoft Exchange Server Deserialization of Untrusted Data
Microsoft Exchange Server Remote Code Execution Vulnerability
Affected: Microsoft Exchange Server
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/
No detection rules found.
No public exploits indexed.
Hackernews
CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software
blogs_hackernews·2026-04-14·CVSS 7.8
[HIGH] CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added half a dozen security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation.
The list of vulnerabilities is as follows -
CVE-2026-21643 (CVSS score: 9.1) - An SQL injection vulnerability in Fortinet FortiClient EMS that could allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
CVE-2020-9715 (CVSS score: 7.8) - A use-after-free vulnerability in Adobe Acrobat Re
Hackernews
China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
blogs_hackernews·2026-04-07·CVSS 8.8
[HIGH] China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
A China-based threat actor known for deploying Medusa ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate "high-velocity" attacks and break into susceptible internet-facing systems.
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, the United Kingdom, and
Bleepingcomputer
Microsoft links Medusa ransomware affiliate to zero-day attacks
blogs_bleepingcomputer·2026-04-06·CVSS 8.8
[HIGH] Microsoft links Medusa ransomware affiliate to zero-day attacks
## Microsoft links Medusa ransomware affiliate to zero-day attacks
## Sergiu Gatlan
"The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States."
Microsoft has also observed Storm-1175 operators chaining multiple exploits to gain persistence on compromised systems by creating new user accounts, deploying remote monitoring and management software, stealing credentials, and disabling security software before dropping ransomware payloads.
In October, Microsoft reported that Storm-1175 had been exploiting a maximum-severity GoAnywhere MFT
Bleepingcomputer
Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks
blogs_bleepingcomputer·2023-12-02
Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks
## Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks
## Ionut Ilascu
Tens of thousands of Microsoft Exchange email servers in Europe, the U.S., and Asia exposed on the public internet are vulnerable to remote code execution flaws.
The mail systems run a software version that is currently unsupported and no longer receives any type of updates, being vulnerable to multiple security issues, some with a critical severity rating.
## Exchange Server 2007 still running
Internet scans from The ShadowServer Foundation show that there are close to 20,000 Microsoft Exchange servers currently reachable over the public internet that have reached the end-of-life (EoL) stage.
On Friday, more than half of the systems were located in Europe. In North America, there were 6,038 Excha
Talos
Microsoft Patch Tuesday for February 2023 — Snort rules and prominent vulnerabilities
blogs_talos·2023-02-14·CVSS 9.8
CVE-2023-21823 [CRITICAL] Microsoft Patch Tuesday for February 2023 — Snort rules and prominent vulnerabilities
Microsoft released its monthly security update on Tuesday, disclosing 73 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical”, 64 are classified as “Important”, one vulnerability is classified as “Moderate.”
According to Microsoft none of the vulnerabilities has been publicly disclosed before Patch Tuesday and only three vulnerabilities were seen in the wild. The most serious one is CVE-2023-21823 a Windows Graphics Component Remote Code Execution Vulnerability. Followed by CVE-2023-21715 a Microsoft Publisher Security Features Bypass Vulnerability which we are describing below and CVE-2023-23376 a local Windows Common Log File System Driver Elevation of Privilege Vulnerability.
Three of the most “Critical“ vulnerabilities, which Microsoft considers to be “more likel
Tenable
Microsoft’s February 2023 Patch Tuesday Addresses 75 CVEs (CVE-2023-23376)
blogs_tenable·2023-02-14·CVSS 7.8
[HIGH] Microsoft’s February 2023 Patch Tuesday Addresses 75 CVEs (CVE-2023-23376)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Krebs
Microsoft Patch Tuesday, February 2023 Edition
blogs_krebs·2023-02-14·CVSS 7.3
CVE-2023-23376 [HIGH] Microsoft Patch Tuesday, February 2023 Edition
Microsoft is sending the world a whole bunch of love today, in the form of patches to plug dozens of security holes in its Windows operating systems and other software. This year’s special Valentine’s Day Patch Tuesday includes fixes for a whopping three different “zero-day” vulnerabilities that are already being used in active attacks.
Microsoft’s security advisories are somewhat sparse with details about the zero-day bugs. Redmond flags CVE-2023-23376 as an “Important” elevation of privilege vulnerability in the Windows Common Log File System Driver , which is present in Windows 10 and 11 systems, as well as many server versions of Windows.
“Sadly, there’s just a little solid information about this privilege escalation,” said Dustin Childs , head of threat awareness at Trend Micro’s Ze
Talos
Microsoft Patch Tuesday for February 2023 — Snort rules and prominent vulnerabilities
blogs_talos·2023-02-14·CVSS 9.8
[CRITICAL] Microsoft Patch Tuesday for February 2023 — Snort rules and prominent vulnerabilities
## Microsoft Patch Tuesday for February 2023 — Snort rules and prominent vulnerabilities
Microsoft released its monthly security update on Tuesday, disclosing 73 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical”, 64 are classified as “Important”, one vulnerability is classified as “Moderate.”
According to Microsoft none of the vulnerabilities has been publicly disclosed before Patch Tuesday and only three vulnerabilities were seen in the wild. The most serious one is CVE-2023-21823 a Windows Graphics Component Remote Code Execution Vulnerability. Followed by CVE-2023-21715 a Microsoft Publisher Security Features Bypass Vulnerability which we are describing below and CVE-2023-23376 a local Windows Common Log File System Driver Elevation of Privilege Vulnerability.
Krebs
Microsoft Patch Tuesday, February 2023 Edition
blogs_krebs·2023-02-14·CVSS 7.3
CVE-2023-23376 [HIGH] Microsoft Patch Tuesday, February 2023 Edition
Microsoft is sending the world a whole bunch of love today, in the form of patches to plug dozens of security holes in its Windows operating systems and other software. This year’s special Valentine’s Day Patch Tuesday includes fixes for a whopping three different “zero-day” vulnerabilities that are already being used in active attacks.
Microsoft’s security advisories are somewhat sparse with details about the zero-day bugs. Redmond flags CVE-2023-23376 as an “Important” elevation of privilege vulnerability in the Windows Common Log File System Driver, which is present in Windows 10 and 11 systems, as well as many server versions of Windows.
“Sadly, there’s just a little solid information about this privilege escalation,” said Dustin Childs, head of threat awareness at Trend Micro’s Zero
Greynoiseio
GreyNoise Analysis Of A Quartet of Exchange Remote Code Execution Vulnerabilities: CVE-2023-21529; CVE-2023-21706; CVE-2023-21707; CVE-2023-21710
blogs_greynoiseio·CVSS 8.8
[HIGH] GreyNoise Analysis Of A Quartet of Exchange Remote Code Execution Vulnerabilities: CVE-2023-21529; CVE-2023-21706; CVE-2023-21707; CVE-2023-21710
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21529https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21529https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-21529https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/
2023-02-14
Published
2026-04-13
Added to CISA KEV
Exploited in the wild