What is Microsoft Exchange Server?
Microsoft Exchange Server is the world's dominant enterprise email and collaboration platform, used by tens of thousands of organizations globally — from government agencies to critical infrastructure operators. Because Exchange is directly exposed to the internet for email delivery and often accessible via Outlook Web Access (OWA) and Exchange Web Services (EWS), it represents one of the highest-value attack surfaces in enterprise environments. A foothold on Exchange typically yields email, credentials, calendar data, and — critically — the ability to move laterally across the enterprise.
Overview
CVE-2023-21529 is an authenticated remote code execution vulnerability in Microsoft Exchange Server caused by unsafe deserialization of untrusted data (CWE-502). An attacker who has established a PowerShell remoting session to the Exchange server can send a specially crafted SOAP message containing a malicious serialized payload. Exchange's internal deserialization pathway processes the payload and executes attacker-controlled code on the server.
Affected Versions
| Product | Affected Build |
|---|---|
| Exchange Server 2019 CU12 | Yes |
| Exchange Server 2019 CU11 | Yes |
| Exchange Server 2016 CU23 | Yes |
| Exchange Server 2013 CU23 | Yes |
Technical Details
Root cause: Deserialization of Untrusted Data (CWE-502)
Exchange's PowerShell remoting interface exposes a set of cmdlets for administration. Internally, Exchange maintains an allow list of types that are permitted through its deserialization pipeline. CVE-2023-21529 arises because the MultiValuedProperty class was present on that allow list and provided a pathway to a secondary, internal deserialization mechanism that was not subject to the same allow-list sanitization.
Exploit chain:
- Establish authentication: Attacker authenticates with any low-privilege Exchange account (no special admin rights required) and opens a PowerShell remoting session to the Exchange server
- Craft SOAP message: Attacker sends a SOAP message containing a serialized PowerShell object built around
MultiValuedPropertywith a maliciousXamlReader-based payload embedded - Bypass allow-list:
MultiValuedPropertypasses the outer allow-list check, then internally triggers Exchange's secondary deserialization routine on the embedded XAML payload - Code execution:
XamlReaderprocesses the XAML and executes arbitrary .NET code in the context of the Exchange backend process (running as SYSTEM or Network Service with high privileges)
Attack characteristics:
- Authentication required: Yes — low-privilege Exchange account (email user)
- Complexity: Low — well-documented attack pattern derived from Exchange PowerShell research
- User interaction: None — entirely server-side once authenticated
- Network: Requires reaching Exchange PowerShell remoting endpoint (TCP 80/443 or Kerberos-secured)
This vulnerability is related to the broader Exchange PowerShell exploitation research track, following the ProxyNotShell (CVE-2022-41040/CVE-2022-41082) class of vulnerabilities. Zero Day Initiative researchers detailed the underlying exploitation pathway in depth.
Exploitation Context
Exchange deserialization vulnerabilities have been a primary vector for nation-state and ransomware actors since at least the HAFNIUM ProxyLogon wave in 2021. CVE-2023-21529 fits the same pattern: authentication lowers the attack bar somewhat compared to pre-auth bugs, but in practice, compromised credentials are abundant. Credential stuffing, password spraying against OWA, or phishing a single mailbox user is sufficient to satisfy the authentication requirement.
The CISA KEV listing confirms that threat actors are actively weaponizing this vulnerability — a pattern consistent with the sustained interest in Exchange as a high-value pivot point for enterprise intrusions.
Remediation
- Apply the February 2023 cumulative update for your Exchange version:
- Exchange Server 2019: CU12 with Security Update (SU)
- Exchange Server 2016: CU23 with Security Update (SU)
- Exchange Server 2013: CU23 with Security Update (SU)
- Apply all subsequent Exchange Security Updates — Exchange security updates are cumulative but must be applied on top of the correct CU level. Refer to the Exchange Update Wizard for guidance.
- Restrict PowerShell remoting access — limit access to the Exchange PowerShell endpoint (
/PowerShell) to administrative source IPs via network controls or URL rewrite rules where possible. - Enforce MFA on all Exchange accounts — reduce the risk of credential-based authentication by requiring multi-factor authentication for all OWA and Exchange Web Services access.
- Audit Exchange logs for suspicious PowerShell activity: review
MSExchange Managementaudit logs and IIS logs for unusual SOAP/PowerShell endpoint calls. - Migrate to Exchange Online (Microsoft 365) where feasible — on-premises Exchange Server eliminates a persistent high-value attack surface.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2023-21529 |
| Vendor / Product | Microsoft — Exchange Server |
| NVD Published | 2023-02-14 |
| NVD Last Modified | 2026-04-13 |
| CVSS 3.1 Score | 8.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-502 — Deserialization of Untrusted Data |
| CISA KEV Added | 2026-04-13 |
| CISA KEV Deadline | 2026-04-27 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2023-02-14 | CVE-2023-21529 published as part of February 2023 Patch Tuesday; patches released for Exchange 2013/2016/2019 |
| 2026-04-13 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2026-04-27 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2023-21529 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Microsoft MSRC — CVE-2023-21529 | Vendor Advisory / Patch |
| ZDI — Exploiting Exchange PowerShell After ProxyNotShell (Part 2) | Security Research |
| CWE-502 — Deserialization of Untrusted Data | Weakness Classification |