CVE-2023-21529

Analyzed
Published: 14 Feb 2023, 19:33
Last modified:14 Apr 2026, 03:55

Vulnerability Summary

Overall Risk (default)
medium
41/100
CVSS Score
8.8 HIGH
v3.1 (cve.org)
EPSS Score
28.94% HIGH
29% probability -7.74%
KEV
Listed
CISA
1 listing
Ransomware
Known Use
Public exploits
None found
Dark Web
Not detected

Timeline

14 Feb 2023, 19:33
Published
Vulnerability first disclosed
13 Apr 2026, 00:00
Added to CISA KEV
Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability
14 Apr 2026, 03:55
Last Modified
Vulnerability information updated
27 Apr 2026, 00:00
CISA Remediation Due
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Microsoft Exchange Server Remote Code Execution Vulnerability

CVSS Metrics

  • v3.1HIGHScore: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
  • v3.1HIGHScore: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 28.94% Percentile: 97%

Techniques & Countermeasures

  • CWE-502Deserialization of Untrusted Data

    The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Systems

  • UnknownExchange Server

    2013:cumulative_update_23 | 2016:cumulative_update_23 | 2019:cumulative_update_11 | 2019:cumulative_update_12

  • microsoftmicrosoft exchange server 2013 cumulative update 23

    ≥ 15.00.0, < 15.00.1497.047

  • microsoftmicrosoft exchange server 2016 cumulative update 23

    ≥ 15.01.0, < 15.01.2507.021

  • microsoftmicrosoft exchange server 2019 cumulative update 11

    ≥ 15.02.0, < 15.02.0986.041

  • microsoftmicrosoft exchange server 2019 cumulative update 12

    ≥ 15.02.0, < 15.02.1118.025

References (3)