Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability
Microsoft Exchange Server contains a deserialization of untrusted data that allows an authenticated attacker to achieve remote code execution.
Quick answer
Microsoft Exchange Server should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- 2013
- 2016
- 2019
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
Treat CVE-2023-21529 as an actively exploited Microsoft Exchange Server remote code execution risk. The local record and CISA KEV identify deserialization of untrusted data in Exchange Server, so exposed or internet-reachable Exchange servers should be patched with priority. Apply the Microsoft Security Update Guide fixes for the installed supported Exchange version and cumulative update level; do not rely on generic OS patching alone. If the server cannot be updated immediately, reduce external exposure, review mail and IIS logs, and plan replacement for unsupported Exchange builds.
- Inventory every Microsoft Exchange Server deployment, including internet-facing Client Access, Outlook on the web, ECP, EWS, ActiveSync, hybrid, and management endpoints.
- Check each server against the Microsoft Security Update Guide entry for CVE-2023-21529 and its installed Exchange cumulative update and security update level.
- Install the applicable Exchange Server security update for the supported cumulative update branch, or first move to a supported CU and then apply the security update.
- Restrict Exchange administrative interfaces such as ECP and remote PowerShell to trusted administrator networks or VPN where possible.
- Review IIS, Exchange, ECP, PowerShell, and security logs for suspicious authenticated activity, unexpected mailbox access, web shell indicators, or new administrative assignments.
- Run the Microsoft Exchange HealthChecker or equivalent inventory checks after patching to confirm supported build and security update status.
- Rotate credentials and review mailbox delegation, application permissions, and OAuth/app registrations if compromise is suspected.
- Retire or isolate unsupported Exchange servers that cannot receive the Microsoft security update.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm every Exchange server reports a supported CU and the Microsoft security update that remediates CVE-2023-21529 or a later cumulative/security update.
- Confirm ECP, PowerShell, and other management endpoints are restricted to approved administrator paths.
- Confirm vulnerability management or Exchange inventory tooling no longer flags CVE-2023-21529.
- Review post-patch IIS and Exchange logs for continued exploit attempts or suspicious authenticated requests.
- Run a Fixnx scan against public mail hostnames to confirm visible Exchange exposure is understood.
Related categories
Trusted references
FAQ
What is affected by CVE-2023-21529?
Microsoft Exchange Server should be checked against the vendor advisory and trusted references linked on this page.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
