ThreatLevelBeta
Planned Fix

CVE-2023-21529

Exchange PowerShell deserialization RCE (authenticated)
Loading...

Summary

Microsoft Exchange Server has an authenticated remote code execution flaw in the PowerShell remoting deserialization path. A low-privileged Exchange user can send crafted serialized input that abuses the allowed MultiValuedProperty class and related type-conversion logic, causing the server to run attacker-controlled code. Successful exploitation can execute code as SYSTEM and fully compromise the mail server.

Why Planned Fix?

5/6
Authentication required
Mixed internet / internal deployment
No user interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
RCE (Remote Code Execution)
Is exploitable with default configuration?
Yes
Is authentication needed?
Yes
PoC / Exploit
Yes
github.com
Impact

Execute arbitrary code as SYSTEM on the Exchange server

Full System Compromise
Exploitation Requirements
  • Authentication required
Exploitation Process

An attacker first authenticates to Exchange as a low-privileged user and then sends crafted HTTP requests to the PowerShell remoting interface. The payload abuses the allowed MultiValuedProperty or DagNetMultiValuedProperty deserialization path, steering type conversion toward attacker-controlled objects and constructors. If the payload succeeds, the server executes the embedded code or command and the attacker confirms success by observing process execution or a spawned shell.

Detection Resources
Manual Detection
0
Script Detection
github.com
1
Scanner Detection
Tenable NessusRapid7 InsightVM
2

Affected Software

Vendor:Microsoft
ProductAffected Versions
Microsoft Exchange Server 2013Cumulative Update 23 before SU20
Microsoft Exchange Server 2016Cumulative Update 23 before SU6
Microsoft Exchange Server 2019Cumulative Update 11 before SU10, Cumulative Update 12 before SU6
Description

Microsoft Exchange Server is an on-premises email, calendaring, and collaboration platform used to host mailboxes and messaging services.

Deployment:Mixed (internet/internal)
|
Protocol:HTTPS
|
Ports:443
Affected ComponentExchange PowerShell remoting deserialization path, centered on the MultiValuedProperty class used by /powershell requests.

Exchange PowerShell remoting deserialization path, centered on the MultiValuedProperty class used by /powershell requests.

Affected Endpoints(1)/powershell
1./powershell
Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround

Not available

Patch

Not available

Update
Install KB5023038: Exchange Server 2019 CU12 SU6 or CU11 SU10, Exchange Server 2016 CU23 SU6, or Exchange Server 2013 CU23 SU20.

Install KB5023038: Exchange Server 2019 CU12 SU6 or CU11 SU10, Exchange Server 2016 CU23 SU6, or Exchange Server 2013 CU23 SU20.

support.microsoft.com
Threat Intelligence
EPSS Score36.7%

Probability of exploitation in the next 30 days

EPSS Percentile97%

Worse than 97% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
microsoft.com
Threat Actors1
Storm-1175

financially motivated group linked to Medusa ransomware and web-facing asset exploitation

Detection Rules1
Snort
HTTP request to /Powershell with base64-decoded SerializationData containing System.Diagnostics, Process, and MultiValuedProperty

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Microsoft Exchange Server Remote Code Execution Vulnerability

CVSS Base Score

8.8
High

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-502 Deserialization of Untrusted Data
|
NVD:CVE-2023-21529
|
Version From:
|
Version Upto:

Affected Software (CPE) (4)

  • cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_23:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_11:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_12:*:*:*:*:*:*

Sources

9
SourceArticle
nvd.nist.govCVE-2023-21529 Detail
support.microsoft.comExchange Server security update KB5023038
www.zerodayinitiative.comZDI-23-162
www.microsoft.comStorm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations
www.thezdi.comExploiting Exchange PowerShell After ProxyNotShell: Part 1 - MultiValuedProperty
cyberfortress.jpMarch 2023 attack service statistics and analysis
www.tenable.comCVE-2023-21529
www.rapid7.comMicrosoft CVE-2023-21529
github.comtr1pl3ight/CVE-2023-21529-POC

Priority History

Planned FixLoading...

Initial analysis