Login

u/maxcoder88

▲ 1 r/exchangeserver

CVE-2023-21529 — Is Exchange Server SE (latest CU/SU) affected?

Hi all,

I'm running Exchange Server Subscription Edition (SE) with the latest CU and SU applied. I've noticed that CVE-2023-21529 (Exchange Server RCE via deserialization, CVSS 8.8) was added to CISA's KEV catalog yesterday (April 13, 2026), indicating active exploitation in the wild.

The official affected version list only mentions Exchange 2013 CU23, 2016 CU23, and 2019 CU11/CU12 — nothing about Exchange SE.

My understanding is that since Exchange SE RTM is code-equivalent to Exchange 2019 CU15, and the fix for CVE-2023-21529 was already included in CU13+ (KB5023038, Feb 2023), Exchange SE with latest patches applied should be unaffected.

Can anyone confirm this? Is Exchange SE with current CU/SU fully protected against CVE-2023-21529, or is there anything else I should be checking given the new CISA KEV listing?

reddit.com
u/maxcoder88 — 8 days ago
▲ 1 r/exchangeserver

CVE-2025-58107 – Exchange ActiveSync cleartext data leak: what mitigations are you applying on on-prem Exchange SE

Hey,

I'm investigating CVE-2025-58107 in our on-premises Exchange 2019 hybrid environment. According to the NVD entry, EAS configurations may transmit sensitive data from Samsung devices in cleartext — including username, email address, device ID, bearer token, and base64-encoded password.

A few things I'm trying to figure out:

  1. Scope – Is this limited to Samsung devices, or could other EAS clients be affected depending on how the device sends credentials? Has anyone reproduced this with non-Samsung clients?
  2. Mitigation – There's no Microsoft patch referenced yet (NVD status is still "Awaiting Analysis"). Are you blocking/restricting EAS at the CAS level, enforcing certificate-based auth, or just waiting for an official fix?
  3. Detection – Any IIS log patterns or network captures that helped you confirm whether your environment is actually leaking? Would love to know what to look for.
  4. Exchange Online hybrid – For those in hybrid setups, does the on-prem EAS endpoint exposure change your risk posture given that mailboxes may already be in EXO?

Running Exchange SE in a hybrid config. No official MSRC advisory linked to this CVE yet as far as I can tell. Wondering what steps others are taking in the meantime.

Thanks

reddit.com
u/maxcoder88 — 12 days ago