[KEV] CVE-2023-21529 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2023-21529 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2023-21529 is a deserialization of untrusted data vulnerability in Microsoft Exchange Server that allows an authenticated remote attacker to execute arbitrary code on the affected system.

Technical Detail

The flaw exists in Microsoft Exchange Server's handling of untrusted serialized data, where insufficient validation allows an attacker to supply a malicious payload that is deserialized by the server process. An authenticated attacker can trigger this condition remotely, without requiring elevated privileges at the time of exploitation. Successful exploitation results in remote code execution (RCE) in the context of the Exchange Server process, which typically carries significant system-level access.

Exploitation Status

CISA has confirmed active exploitation in the wild, with this vulnerability added to the Known Exploited Vulnerabilities (KEV) catalog on April 13, 2026. The exploit maturity is rated Operational, meaning functional exploit code capable of reliable exploitation exists and is being used in real-world attacks, not merely as a proof of concept.

Who Is Targeting This

No specific threat actor attribution is confirmed at this time. Given the target surface (internet-facing Exchange infrastructure) and the operational exploit maturity, opportunistic and targeted threat actors should both be considered plausible. Sector-specific targeting data is not currently available.

What To Do

Apply the relevant Microsoft security update for Exchange Server immediately. Per CISA's Binding Operational Directive 22-01, federal civilian executive branch agencies are required to remediate KEV-listed vulnerabilities by the deadline specified in the catalog; for this entry, the required remediation date should be confirmed against the CISA KEV listing directly. Organizations should prioritize patching any internet-exposed or externally reachable Exchange Server instances first. If patching cannot be applied immediately, consider restricting access to Exchange services at the network perimeter and reviewing Exchange Server logs for anomalous deserialization activity or unexpected process execution originating from Exchange worker processes. Monitor for indicators associated with post-exploitation activity such as web shell deployment, which is a common follow-on action in Exchange Server compromises.