Remote Code Execution Vulnerability Affects Microsoft Exchange Server
CVE-2023-21529

8.8HIGH

Key Information:

Vendor: Microsoft
Status: Microsoft Exchange Server 2019 Cumulative Update 12; Microsoft Exchange Server 2019 Cumulative Update 11; Microsoft Exchange Server 2013 Cumulative Update 23; Microsoft Exchange Server 2016 Cumulative Update 23
Vendor: CVE Published:; 14 February 2023

Badges

💰 Ransomware👾 Exploit Exists🟣 EPSS 23%🦅 CISA Reported📰 News Worthy

What is CVE-2023-21529?

A vulnerability has been identified in Microsoft Exchange Server that allows for remote code execution. This security flaw could enable an attacker to execute arbitrary code on affected systems, potentially compromising data integrity and confidentiality. Organizations using Microsoft Exchange Server 2016 and 2019 are strongly encouraged to apply the latest security updates to mitigate this risk. Detailed information about the vulnerability and available patches can be found in the Microsoft advisory.

CISA has reported CVE-2023-21529

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2023-21529 as being exploited and is known by the CISA as enabling ransomware campaigns.

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Microsoft Exchange Server 2013 Cumulative Update 23 x64-based Systems 15.00.0 < 15.00.1497.047

Microsoft Exchange Server 2016 Cumulative Update 23 x64-based Systems 15.01.0 < 15.01.2507.021

Microsoft Exchange Server 2019 Cumulative Update 11 x64-based Systems 15.02.0 < 15.02.0986.041

News Articles

The Hacker News

CVE-2026-21643 CVE-2023-21529

CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software

CISA adds six exploited vulnerabilities, including Fortinet and Exchange flaws, requiring FCEB patching by April 27, 2026.

3 weeks ago

IT Security News

CVE-2023-21529

CISA Adds Seven Known Exploited Vulnerabilities to Catalog - IT Security News

CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2012-1854 Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability CVE-2020-9715 Adobe Acrobat Use-After-Free Vulnerability CVE-2023-2152...

3 weeks ago

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisory

EPSS Score

23% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

💰
Used in Ransomware
Apr 13, 2026
🦅
CISA Reported
Apr 13, 2026
📰
First article discovered by IT Security News
Apr 13, 2026
🟡
Public PoC available
Mar 9, 2024
👾
Exploit known to exist
Mar 9, 2024
Vulnerability published
Feb 14, 2023
Vulnerability Reserved
Dec 1, 2022

CVE-2023-21529 Data

JSON