You are subscribed to National Cyber Awareness System Current Activity for
Cybersecurity and Infrastructure Security Agency. This information has recently
been updated, and is now available.
Microsoft April 2021 Security Update to Mitigate Newly Disclosed Microsoft
release date: April 13, 2021
April 2021 Security Update mitigates significant vulnerabilities
affecting on-premises Exchange Server 2016 and 2019. An attacker could exploit
these vulnerabilities to gain access and maintain persistence on the target
host. CISA strongly urges organizations to apply Microsoft’s April 2021
Security Update to mitigate against these newly disclosed vulnerabilities.
Note: the Microsoft security updates released in March 2021 do not remediate
against these vulnerabilities.
In response to these the newly disclosed vulnerabilities, CISA has issued Supplemental
Direction Version 2 to Emergency Directive (ED) 21-02: Mitigate Microsoft
Exchange On-Premises Product Vulnerabilities. ED 20-02 Supplemental Direction
V2 requires federal departments and agencies to apply Microsoft’s April 2021
Security Update to mitigate against these significant vulnerabilities affecting
on-premises Exchange Server 2016 and 2019.
Although CISA Emergency Directives only apply to Federal Civilian Executive
Branch agencies, CISA strongly encourages state and local governments, critical
infrastructure entities, and other private sector organizations to review ED
21-02 Supplemental Direction V2 and apply the security updates immediately. Review
the following resources for additional information:
Microsoft April 2021
Security Update Summary
Microsoft Exchange On-Premises Product Vulnerabilities Supplemental