Skip to main content
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Microsoft Exchange Server Deserialization of Untrusted Data RCE

IdentifiersCVE-2023-21529CWE-502· Deserialization of Untrusted Data

CVE-2023-21529 is a Microsoft Exchange Server vulnerability caused by deserialization of untrusted data. The available reporting states that Exchange Server improperly processes attacker-controlled serialized data, allowing an authenticated attacker to manipulate how the server handles specific data and achieve remote code execution. Microsoft disclosed and patched the issue in February 2023. Subsequent reporting and CISA KEV inclusion confirm active exploitation in the wild.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows remote code execution on the affected Microsoft Exchange Server. Because Exchange is typically a high-value, centrally connected enterprise system, compromise can provide deep access into corporate environments, including sensitive communications and a strong foothold for follow-on intrusion activity. Reporting also links exploitation of this flaw by Storm-1175 to Medusa ransomware operations, including initial access, data theft, and ransomware deployment.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of Exchange servers as much as operationally feasible, especially internet-facing instances. Restrict access to trusted networks and administrative paths, monitor Exchange systems aggressively for suspicious activity, and follow any Microsoft-issued mitigations or hardening guidance. General defensive measures highlighted in the supporting content include isolating web-facing systems, placing necessary public servers behind protective controls such as a WAF, and discontinuing use of vulnerable products if no patch or effective mitigation is available.

Remediation

Patch, then assume compromise.

Apply Microsoft's February 2023 security updates for Microsoft Exchange Server that address CVE-2023-21529. Follow current Microsoft vendor guidance to ensure all affected Exchange installations are fully updated. Because CISA added this CVE to the KEV catalog based on active exploitation, patching should be prioritized urgently on all exposed and internally reachable Exchange servers.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationExchange Serverapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

29 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

29 SOURCESView more in app
security affairsNews
May 15, 2026
CVE-2026-42897: Microsoft confirms active exploitation of Exchange Server zero-day

A Microsoft Exchange Server deserialization of untrusted data vulnerability that CISA added to the KEV catalog, indicating known exploitation.

Read more
scworldNews
Apr 14, 2026
Active exploitation of old Microsoft bugs prompt CISA catalog inclusion | brief | SC Media

A Microsoft Exchange Server deserialization of untrusted data vulnerability that has been leveraged by Storm-1175 to spread Medusa ransomware.

Read more
cyber security newsNews
Apr 14, 2026
CISA Warns of Microsoft Exchange and Windows CLFS Vulnerabilities Exploited in Attacks

A remote code execution vulnerability in Microsoft Exchange Server caused by deserialization of untrusted data.

Read more
security affairsNews
Apr 14, 2026
U.S. CISA adds Adobe, Fortinet, Microsoft Windows, Microsoft Exchange Server flaws to its Known Exploited Vulnerabilities catalog

A deserialization of untrusted data vulnerability affecting Microsoft Exchange Server.

Read more
+9 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence8

Every observed campaign linking this CVE to a named adversary.

Associated malware8

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity14

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2023-21529
NVD
nvd.nist.gov/vuln/detail/CVE-2023-21529
MITRE CWE · CWE-502
Deserialization of Untrusted Data
Patch
msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21529
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-21529
Technical Description
microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations