ACCORDING to CISA, the Known Exploited Vulnerabilities (KEV) catalog lists CVE-2023-21529 as a Microsoft Exchange Server deserialization of untrusted data vulnerability, which allows an authenticated attacker to achieve remote code execution. The entry notes that it is currently Unknown whether it has been used in ransomware campaigns. Date Added to the KEV catalog is 13 April 2026, with a due date of 27 April 2026 for mitigations.
The action recommended is to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Related references provided include the Microsoft MSRC vulnerability update guide and the NIST NVD entry for CVE-2023-21529.