TP-EXP-2023-0001 CVE-2023-21529 high Patched Under Review

Microsoft Exchange Server Deserialization of Untrusted Data (CVE-2023-21529)

CVE CVE-2023-21529 Platform Microsoft Exchange Server 2013, 2016, 2019 Type Remote Code Execution
Severity HIGH
Status Patched
Zero-Day No
Disclosed February 14, 2023
Patched February 14, 2023
CISA KEV Listed

Severity Assessment

  • Exploitability: 7/10 — Requires authentication (any valid Exchange user account); network-accessible with low complexity
  • Impact: 9/10 — Remote code execution on the Exchange server, which typically has access to all organizational email and Active Directory
  • Weaponization Risk: 8/10 — Added to CISA KEV confirming active exploitation; Exchange servers are high-value targets
  • Patch Urgency: 10/10 — Patch available since February 2023; CISA KEV mandates federal remediation by 27 April 2026
  • Detection Coverage: 6/10 — Deserialization attacks can be difficult to detect at the network level; Exchange health monitoring and endpoint detection provide best coverage

Executive Summary

CVE-2023-21529 is a remote code execution vulnerability in Microsoft Exchange Server caused by insecure deserialization of untrusted data (CWE-502). An authenticated attacker with a valid Exchange user account can exploit this vulnerability to execute arbitrary code on the Exchange server. The vulnerability has a CVSS 3.1 base score of 8.8 (HIGH), with an attack vector of Network, low attack complexity, low privileges required, and no user interaction needed.

The vulnerability affects Microsoft Exchange Server 2013 Cumulative Update 23, Exchange Server 2016 Cumulative Updates 22 and 23, and Exchange Server 2019 Cumulative Updates 11 and 12. Microsoft released patches as part of the February 2023 Patch Tuesday security updates.

Exchange Server environments are high-value targets because the server typically holds all organizational email communications and operates with elevated Active Directory privileges. Compromise of an Exchange server can provide access to email contents, contact directories, calendar data, and credentials that facilitate further network compromise.

CISA added CVE-2023-21529 to the Known Exploited Vulnerabilities catalog on 13 April 2026, establishing a required federal remediation date of 27 April 2026. The addition to the KEV catalog confirms that this vulnerability continues to be exploited against unpatched Exchange environments.

Exploit Chain

Stage 1: Authentication

The attacker authenticates to the Exchange server using valid user credentials. These credentials may be obtained through phishing, credential stuffing, password spraying, or prior compromise of a user account. Any standard Exchange user account with mailbox access is sufficient — no administrative privileges are required.

Stage 2: Deserialization Trigger

The authenticated attacker sends a specially crafted request to an Exchange Web Services (EWS) or other Exchange endpoint that processes serialized .NET objects. The request contains a malicious serialized object constructed to exploit the insecure deserialization vulnerability.

Stage 3: Object Instantiation

The Exchange server deserializes the attacker-provided object without adequate type checking or validation. The malicious serialized data instructs the .NET runtime to instantiate objects that execute arbitrary code as a side effect of their construction or property evaluation.

Stage 4: Code Execution

The deserialized object chain (gadget chain) executes attacker-controlled commands in the security context of the Exchange Server application pool, which runs as SYSTEM or as a high-privilege service account. This provides the attacker with control over the Exchange server operating system.

Stage 5: Post-Exploitation

From the compromised Exchange server, the attacker can access all mailbox contents, harvest Active Directory credentials, deploy web shells for persistent access, and pivot to other systems in the network using the Exchange server’s elevated domain privileges.

Detection Guidance

Host-based detection:

  • Monitor Exchange Server application pool worker processes (w3wp.exe) for spawning unexpected child processes (cmd.exe, powershell.exe, certutil.exe)
  • Deploy endpoint detection and response (EDR) agents on Exchange servers to detect deserialization attack patterns
  • Monitor for web shell creation in Exchange virtual directories (typically aspx or ashx files in IIS web root directories)
  • Review Exchange Server health monitoring for unexpected process crashes or elevated memory consumption

Network-based detection:

  • Inspect Exchange Web Services (EWS) requests for serialized .NET objects containing known gadget chain patterns
  • Monitor for unusual volumes of EWS requests from a single authenticated user, particularly to endpoints not typically used by mail clients
  • Alert on outbound connections from the Exchange server to external IP addresses not associated with legitimate mail flow

Log-based detection:

  • Enable and monitor Exchange Server diagnostic logging for deserialization errors
  • Review IIS logs for requests to Exchange endpoints with unusually large POST bodies or non-standard content types
  • Monitor Windows Security Event Log on Exchange servers for process creation events indicating post-exploitation activity

Indicators of Compromise

Network indicators:

  • HTTP POST requests to Exchange EWS endpoints containing serialized .NET objects with known gadget chain class names
  • Outbound connections from Exchange server to external command-and-control infrastructure
  • Unexpected SMTP relay activity from the Exchange server to external mail servers

Host indicators:

  • Web shells (ASPX files) created in Exchange virtual directories under IIS wwwroot
  • Unexpected child processes spawned by w3wp.exe (Exchange application pool)
  • Modifications to Exchange web.config files or other configuration files
  • Credential dumping tools or output files present on the Exchange server

Log indicators:

  • IIS access logs: POST requests to EWS endpoints with HTTP 200 responses followed by unusual server-side activity
  • Windows Event Log: process creation (Event ID 4688) showing cmd.exe or powershell.exe with w3wp.exe as parent
  • Exchange diagnostic logs: deserialization exceptions or unexpected type loading errors
  • Windows Defender alerts for web shell detection or suspicious process chains

Disclosure Timeline

2023-02-14 — Microsoft Patch and Disclosure

Microsoft released the February 2023 security updates including a patch for CVE-2023-21529. The vulnerability was disclosed as part of the monthly Patch Tuesday release alongside 75 other vulnerabilities.

2023-02-14 — NVD Entry Published

NIST published the CVE-2023-21529 entry in the National Vulnerability Database with a CVSS 3.1 base score of 8.8 (HIGH).

2026-04-13 — CISA KEV Entry Added

CISA added CVE-2023-21529 to the Known Exploited Vulnerabilities catalog with a required federal remediation date of 27 April 2026, confirming active exploitation in the wild.

Sources & References

microsoft-exchangedeserializationremote-code-executioncisa-kevcve-2023-21529email-server