Executive Summary
A deserialization of untrusted data vulnerability (CVE-2023-21529) in Microsoft Exchange Server allows an authenticated attacker to achieve remote code execution (RCE) on the target server. The flaw was patched in February 2023 but has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog in April 2026, indicating continued active exploitation against unpatched systems.
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exchange Server remains a high-value target for nation-state actors, ransomware operators, and financially motivated threat groups. Organizations running unpatched Exchange installations should treat this as an immediate remediation priority.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2023-21529 |
| CVSS Score | 8.8 (High) |
| Type | Deserialization of Untrusted Data |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low (valid Exchange credentials) |
| User Interaction | None |
| Scope | Unchanged |
| C / I / A Impact | High / High / High |
| Published | February 14, 2023 |
| Patch | KB5023038 |
| KEV Added | April 2026 |
Affected Products
| Product | Vulnerable Versions | Patched Version |
|---|---|---|
| Exchange Server 2013 | Cumulative Update 23 and earlier | Apply KB5023038 |
| Exchange Server 2016 | Cumulative Update 23 | Apply KB5023038 |
| Exchange Server 2019 | Cumulative Update 11, CU12 | CU11 SU10 / CU12 SU6 |
Technical Details
The Deserialization Root Cause
The vulnerability resides in the MultiValuedProperty class within Exchange Server's managed code. This class was permitted on the deserialization allow-list but lacked sufficient validation of untrusted data, enabling attackers to craft a malicious deserialization payload that bypasses standard sanitization mechanisms.
Attack Chain
1. Attacker obtains valid Exchange user credentials
(via credential stuffing, phishing, or prior compromise)
2. Attacker sends a crafted HTTP request to an Exchange endpoint
that triggers the MultiValuedProperty deserialization path
3. Malicious deserialization payload is processed without sanitization
4. Exchange Server deserializes attacker-controlled data
5. Code execution achieved with Exchange Server process privileges (SYSTEM)
6. Attacker can install webshells, exfiltrate email data, or pivot furtherWhy Authentication Doesn't Fully Mitigate Risk
While this vulnerability requires low-privilege authentication, Exchange credentials are routinely stolen through:
- Phishing campaigns targeting Exchange users
- Credential stuffing from leaked password databases
- Pass-the-hash / pass-the-ticket attacks from adjacent compromised hosts
- Password spraying against Outlook Web Access (OWA)
A single compromised Exchange account is sufficient to trigger this vulnerability, making it highly relevant in post-initial-access scenarios common to ransomware and espionage operations.
Impact Assessment
| Impact Area | Description |
|---|---|
| Remote Code Execution | Full code execution on the Exchange Server as SYSTEM |
| Email Data Exfiltration | Access to all mailboxes on the Exchange organization |
| Webshell Deployment | Persistent access via server-side webshells |
| Lateral Movement | Exchange servers have broad AD trust — ideal pivot point |
| Ransomware Staging | Exchange breach frequently precedes domain-wide ransomware |
| Credential Harvesting | Exchange credentials and cached authentication tokens |
Recommendations
Immediate Patching
- Apply KB5023038 — Install the February 2023 cumulative update for your Exchange version
- Verify installation — Confirm the update applied via
Get-ExchangeDiagnosticInfo - Prioritize internet-facing Exchange — OWA/EWS exposed to the internet is highest risk
Exchange Version Upgrade Paths
Exchange 2016 CU23 → Apply KB5023038 (SU6)
Exchange 2019 CU11 → Apply CU11 SU10
Exchange 2019 CU12 → Apply CU12 SU6
Exchange 2013 → Urgent: Exchange 2013 reached end of support April 2023Hardening Recommendations
- Restrict OWA access by IP if external access is not required
- Enable Extended Protection for Authentication (EPA) on all Exchange virtual directories
- Implement MFA on all Exchange/Outlook accounts — reduces credential abuse risk
- Monitor Exchange IIS logs for anomalous POST requests to EWS/OWA endpoints
- Deploy AMSI integration — Exchange 2016/2019 supports AMSI for scanning scripts
Detection Indicators
| Indicator | Description |
|---|---|
Unusual POST requests to /EWS/Exchange.asmx | Potential exploitation attempt |
Unexpected process spawning from w3wp.exe | Webshell or code execution activity |
New .aspx files created in Exchange directories | Webshell deployment |
| Outbound connections from Exchange to unusual IPs | C2 beaconing post-exploitation |
| Exchange logs showing authenticated access from unexpected countries | Compromised credentials |
Post-Remediation Checklist
- Confirm patch version — Run
Get-ExchangeDiagnosticInfo -Server <name> -Process EdgeTransport -Component ResourceThrottling - Audit IIS logs for suspicious activity before patch date
- Scan Exchange directories for unauthorized
.aspxwebshells - Review authentication logs for anomalous access patterns
- Rotate service account passwords associated with Exchange
- Check for unauthorized inbox rules or mail forwarding rules across mailboxes
- Enable and review audit logging for all Exchange administrator actions