Apply Microsoft April 2021 Security Update to Mitigate Newly Disclosed Microsoft Exchange Vulnerabilities

April 13, 2021
Original release date: April 13, 2021 | Last revised: April 14, 2021<br/><p><a href="https://msrc.microsoft.com/update-guide/releaseNote/2021-Apr">Microsoft's April 2021 Security Update</a>&nbsp;mitigates significant vulnerabilities affecting on-premises Exchange Server 2013, 2016, and 2019. An attacker could exploit these vulnerabilities to gain access and maintain persistence on the target host. CISA strongly urges organizations to apply Microsoft's April 2021 Security Update to mitigate against these newly disclosed vulnerabilities. Note: the Microsoft security updates released in March 2021 do not remediate against these vulnerabilities.</p> <p>In response to these the newly disclosed vulnerabilities, CISA has issued <a href="https://cyber.dhs.gov/ed/21-02/#supplemental-direction-v2">Supplemental Direction Version 2</a> to Emergency Directive (ED) 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities. ED 20-02 Supplemental Direction V2 requires federal departments and agencies to apply Microsoft's April 2021 Security Update to mitigate against these significant vulnerabilities affecting on-premises Exchange Server 2016 and 2019.</p> <p>Although CISA Emergency Directives only apply to Federal Civilian Executive Branch agencies, CISA strongly encourages state and local governments, critical infrastructure entities, and other private sector organizations to review ED 21-02 Supplemental Direction V2 and apply the security updates immediately. Review the following resources for additional information:</p> <ul> <li><a href="https://msrc.microsoft.com/update-guide/releaseNote/2021-Apr">Microsoft April 2021 Security Update Summary</a>&nbsp;and <a href="https://msrc.microsoft.com/update-guide/deployments">Deployment Information</a></li> <li><a href="https://cyber.dhs.gov/ed/21-02/#supplemental-direction-v2">CISA ED 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities Supplemental Direction V2</a></li> <li><a href="https://us-cert.cisa.gov/ncas/alerts/aa21-062a">CISA Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities</a></li> <li><a href="https://us-cert.cisa.gov https://us-cert.cisa.gov/remediating-microsoft-exchange-vulnerabilities">CISA web page: Remediating Microsoft Exchange Vulnerabilities</a></li> </ul> <div class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p class="privacy-and-terms">This product is provided subject to this <a href="https://us-cert.cisa.gov/privacy/notification">Notification</a> and this <a href="https://www.dhs.gov/privacy-policy">Privacy &amp; Use</a> policy.</p> </div>