ON 13 April 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE‑2023‑21529 to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects Microsoft Exchange Server and is named the Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability. In one sentence, the vulnerability allows an authenticated attacker to send specially crafted data that is deserialised by the server, leading to remote code execution.
The vulnerability is a deserialization of untrusted data issue in the Exchange Server backend. An attacker who has valid credentials can transmit malicious payloads that, when processed by the affected component, execute arbitrary code with the privileges of the Exchange service. The Common Vulnerability Scoring System assigns it a base score of 8.8, rating it as HIGH severity. A security patch addressing the issue is available from Microsoft via the MSRC advisory.
Because the entry appears in the KEV catalogue, active exploitation of CVE‑2023‑21529 has been confirmed in the wild. No public reports link this flaw to ransomware campaigns at present. CISA has set a remediation deadline of 27 April 2026 for federal agencies to apply the required mitigations.
CISA’s required action is to apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. This directive binds Federal Civilian Executive Branch (FCEB) agencies; however, all organisations should review their Exchange Server deployments for exposure and implement the vendor’s patch or mitigations as soon as practicable.
For full details, consult the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2023-21529 and the CISA KEV catalogue.