CISA Releases Supplemental Direction Version 2 to Emergency Directive 21-02 – April 13, 2021

Apply Microsoft April 2021 Security Update to Mitigate Newly Disclosed Microsoft Exchange Vulnerabilities

Critical Infrastructure Colleagues and Partners,

Today, the Acting Director of the Cybersecurity and Infrastructure Security Agency (CISA) issued supplemental direction version 2 ( to Emergency Directive (ED) 21-02 requiring federal agencies to apply the Microsoft April 2021 update to all affected Exchange Servers. Microsoft Exchange Servers that cannot be updated within the given deadline must be immediately removed from agency networks.

Microsoft’s April 2021 Security Update ( mitigates significant vulnerabilities affecting on-premises Exchange Server 2016 and 2019. An attacker could exploit these vulnerabilities to gain access and maintain persistence on the target host. CISA strongly urges organizations to apply Microsoft’s April 2021 Security Update to mitigate against these newly disclosed vulnerabilities. Note: the Microsoft security updates released in March 2021 do not remediate against these newly identified vulnerabilities.

Although the Emergency Directive only applies to Federal Civilian Executive Branch agencies, CISA strongly encourages state and local governments, critical infrastructure entities, and other private sector organizations to review the [supplemental direction V2 (] and the following resources for additional information: