cbcvebase.
CVE-2023-21529
published 2023-02-14

CVE-2023-21529: Microsoft Exchange Server Remote Code Execution Vulnerability

PriorityP195high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2026-04-27
Exploited in the wild
EPSS
62.10%
99.1th percentile
Microsoft Exchange Server Remote Code Execution Vulnerability

Affected

11 ranges
VendorProductVersion rangeFixed in
microsoftexchange_server
microsoftexchange_server
microsoftexchange_server
microsoftmicrosoft_exchange_server_2013_cumulative_update_23>= 15.00.0 < 15.00.1497.04715.00.1497.047
microsoftmicrosoft_exchange_server_2016_cumulative_update_23>= 15.01.0 < 15.01.2507.02115.01.2507.021
microsoftmicrosoft_exchange_server_2019_cumulative_update_11>= 15.02.0 < 15.02.0986.04115.02.0986.041
microsoftmicrosoft_exchange_server_2019_cumulative_update_12>= 15.02.0 < 15.02.1118.02515.02.1118.025
msrcmicrosoft_exchange_server_2013_cumulative_update_23
msrcmicrosoft_exchange_server_2016_cumulative_update_23
msrcmicrosoft_exchange_server_2019_cumulative_update_11
msrcmicrosoft_exchange_server_2019_cumulative_update_12

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for authenticated network calls to Exchange Server that may attempt to trigger deserialization of untrusted data, potentially leading to code execution in the context of the server account (SYSTEM).
  • Watch for SSRF bypass attempts against Exchange, as prior ProxyNotShell-style SSRF weaknesses have been chained with authenticated RCE vulnerabilities to bypass authentication constraints — similar patterns may emerge for CVE-2023-21529.
  • Monitor for Exchange credential brute-force activity, as attackers need valid authentication to exploit CVE-2023-21529 and may attempt brute-force to satisfy this prerequisite.
  • CVE-2023-21529 is a deserialization of untrusted data vulnerability; monitor Exchange Server for anomalous deserialization-related activity or unexpected process spawning from Exchange worker processes.
  • ·No public proof-of-concept exploit existed at time of initial disclosure; exploitation is assessed as targeted/stealthy rather than mass exploitation, so high-volume scanning signatures alone may miss attacks.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
cisa8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.