Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability (CVE-2023-21529).
Release Date: 13th April 2026
Impact : HIGH / CRITICAL
TLP Rating: Clear 
The Department of Communication and Digital Transformation (DCDT) through CERT Vanuatu (CERTVU), provides the following advisory.
This alert is relevant to Organizations and System/Network administrators that utilize the above products. This alert is intended to be understood by technical users and systems administrators.
What is it?
CVE-2023-21529 is a high-severity remote code execution (RCE) vulnerability affecting Microsoft Exchange Server. The flaw is caused by deserialization of untrusted data (CWE-502), where the application improperly processes serialized objects.
When Exchange Server deserializes attacker-controlled data without proper validation, it can execute malicious payloads embedded in that data, leading to arbitrary code execution on the server.
What are the systems affected?
The following version affected;
- Exchange Server 2013 (CU23)
- Exchange Server 2016 (CU23)
- Exchange Server 2019 (CU11 and CU12)
Exchange Server is widely used for:
- Enterprise email systems
- Messaging infrastructure
- Collaboration and communication services
Because it is often internet-facing and mission-critical, it is a high-value target for attackers.
What does this mean?
Exploitation requires authenticated access, but privileges can be low.
Typical exploitation flow:
1. Initial access
- The attacker obtains valid credentials (e.g., phishing, credential theft, or prior compromise).
2. Crafting malicious serialized payload
- The attacker creates a specially crafted object designed to exploit Exchange’s deserialization logic.
3. Sending the payload
- The payload is delivered to a vulnerable Exchange Server endpoint via network requests.
4. Unsafe deserialization
- Exchange processes (deserializes) the malicious object without proper validation.
5. Remote code execution
- The payload executes arbitrary commands on the server with Exchange service privileges (often SYSTEM-level).
Successful exploitation of this vulnerability may allow attackers to:
- Execute arbitrary code on the Exchange server
- Gain full system control
- Access or exfiltrate sensitive email data
- Modify or delete mailboxes and configurations
- Move laterally across the enterprise network
- Deploy malware or ransomware/li>
Mitigation process
CERTVU recommends the following:
1. Apply Microsoft Security Updates (Critical)
- Install the latest Exchange Server security updates (e.g., KB5023038 and later) immediately.
2. Restrict Access and Harden Authentication
- Enforce multi-factor authentication (MFA)
- Limit access to Exchange services to trusted networks
- Monitor and restrict privileged accounts
References
- 1. https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cve.org/CVERecord?id=CVE-2023-21529
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21529
- Download advisory (English): Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability (CVE-2023-21529).
- Download advisory (French): Vulnérabilité de désérialisation de données non fiables dans Microsoft Exchange Server