CVE-2021-38647
published 2021-09-15CVE-2021-38647: Open Management Infrastructure Remote Code Execution Vulnerability
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
99.72%
100.0th percentile
Open Management Infrastructure Remote Code Execution Vulnerability
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | azure_automation_update_management | >= 1.0.0 < OMS Agent for Linux GA v1.13.40-0 | OMS Agent for Linux GA v1.13.40-0 |
| microsoft | azure_diagnostics | >= 3.0.0 < LAD v4.0.13 and LAD v3.0.135 | LAD v4.0.13 and LAD v3.0.135 |
| microsoft | azure_security_center | >= 1.0.0 < OMS Agent for Linux GA v1.13.40-0 | OMS Agent for Linux GA v1.13.40-0 |
| microsoft | azure_sentinel | >= 1.0.0 < OMS Agent for Linux GA v1.13.40-0 | OMS Agent for Linux GA v1.13.40-0 |
| microsoft | azure_stack_hub | >= 1.0.0 < Monitor, Update and Config Mgmnt 1.14.01 | Monitor, Update and Config Mgmnt 1.14.01 |
| microsoft | azure_stack_hub | >= 1.0.0 < 3.1.135 | 3.1.135 |
| microsoft | container_monitoring_solution | >= 1.0.0 < publication | publication |
| microsoft | log_analytics_agent | >= 1.0.0 < OMS Agent for Linux GA v1.13.40-0 | OMS Agent for Linux GA v1.13.40-0 |
| microsoft | open_management_infrastructure | >= 16.0 < OMI Version 1.6.8-1 | OMI Version 1.6.8-1 |
| microsoft | system_center_operations_manager | >= 1.0.0 < OMI version: 1.6.8-1 | OMI version: 1.6.8-1 |
| msrc | azure_automation_state_configuration_dsc_extension | — | — |
| msrc | azure_automation_update_management | — | — |
| msrc | azure_diagnostics | — | — |
| msrc | azure_security_center | — | — |
| msrc | azure_sentinel | — | — |
| msrc | azure_stack_hub | — | — |
| msrc | container_monitoring_solution | — | — |
| msrc | log_analytics_agent | — | — |
| msrc | open_management_infrastructure | — | — |
| msrc | system_center_operations_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
58169
- →Monitor for unexpected processes spawned as uid=0/gid=0 from the OMI server process (omiserver/omiengine), especially shell command execution (e.g., /bin/id or similar) that would indicate successful RCE exploitation. ↗
- →Detect exploitation by monitoring for SCX_OperatingSystem ExecuteShellCommand invocations arriving without a valid Authorization header on OMI HTTPS ports. ↗
- →Monitor for Mirai botnet activity targeting OMI ports, as the Mirai botnet was observed launching mass exploitation attempts against CVE-2021-38647. ↗
- →Use GreyNoise GNQL query 'cve:CVE-2021-38647' to identify opportunistic scanning and exploitation IPs targeting this vulnerability. ↗
- →Check for OMI versions 1.6.8.0 and below on Linux VMs; presence of these versions indicates a vulnerable and potentially exploitable host. ↗
- ·CVE-2021-38647 RCE is only exploitable remotely when OMI exposes HTTPS management ports (5986/5985/1270) externally. Most Azure services deploy OMI without exposing these ports, limiting those deployments to local privilege escalation only. ↗
- ·The OMI agent is silently installed without customer knowledge when certain Azure services are enabled on Linux VMs, meaning affected hosts may not be visible in standard asset inventories. ↗
- ·A patch-fixing commit was silently pushed to the OMI GitHub repository on August 12, 2021 — over a month before the official patch — potentially allowing threat actors to develop exploits from the diff before any customer notification. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_msrc9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rp2g-5hw2-q565: Open Management Infrastructure Remote Code Execution Vulnerability
ghsa_unreviewed·2022-05-24
CVE-2021-38647 [CRITICAL] CWE-287 GHSA-rp2g-5hw2-q565: Open Management Infrastructure Remote Code Execution Vulnerability
Open Management Infrastructure Remote Code Execution Vulnerability
VulnCheck
Microsoft Open Management Infrastructure (OMI) Remote Code Execution Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-38647 [CRITICAL] CWE-1390 Microsoft Open Management Infrastructure (OMI) Remote Code Execution Vulnerability
Microsoft Open Management Infrastructure (OMI) Remote Code Execution Vulnerability
Microsoft Open Management Infrastructure (OMI) within Azure VM Management Extensions contains an unspecified vulnerability allowing remote code execution.
Affected: Microsoft Open Management Infrastructure (OMI)
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://x.com/Andrew___Morris/status/1438598477718622214; https://news.sophos.com/en-us/2021/09/14/big-office-bug-squashed-for-september-2021s-patch-tuesday/; https://www.cadosecurity.com/azure-omi-vulnerability-omigod-cve-2021-38647-now-under-exploitation/; https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentin
CISA
Microsoft Open Management Infrastructure (OMI) Remote Code Execution Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2021-38647 [CRITICAL] CWE-1390 Microsoft Open Management Infrastructure (OMI) Remote Code Execution Vulnerability
Vulnerability: Microsoft Open Management Infrastructure (OMI) Remote Code Execution Vulnerability
Affected: Microsoft Open Management Infrastructure (OMI)
Microsoft Open Management Infrastructure (OMI) within Azure VM Management Extensions contains an unspecified vulnerability allowing remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-38647
Remediation Due Date: 2021-11-17
Microsoft
Open Management Infrastructure Remote Code Execution Vulnerability
vendor_msrc·2021-09-14·CVSS 9.8
CVE-2021-38647 [CRITICAL] Open Management Infrastructure Remote Code Execution Vulnerability
Open Management Infrastructure Remote Code Execution Vulnerability
FAQ: Update 9/16/2021: Where can I find more information about how to know if I'm protected and what steps can be taken to be protected?
Please see Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions for more information.
What is OMI?
Open Management Infrastructure (OMI) is an open source project to further the development of a production quality implementation of the DMTF CIM/WBEM standards. The OMI CIMOM is also designed to be portable and highly modular. In order to attain its small footprint, it is coded in C, which also makes it a much more viable CIM Object Manager for embedded systems and other infrastructure components that have memory constraints for their management processor.
Suricata
ET EXPLOIT Microsoft OMI RCE Exploit Attempt (CVE-2021-38647) M2
suricata·2021-09-16·CVSS 9.8
CVE-2021-38647 [CRITICAL] ET EXPLOIT Microsoft OMI RCE Exploit Attempt (CVE-2021-38647) M2
ET EXPLOIT Microsoft OMI RCE Exploit Attempt (CVE-2021-38647) M2
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft OMI RCE Exploit Attempt (CVE-2021-38647) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wsman"; http.header_names; to_lowercase; content:!"|0d 0a|authorization|0d 0a|"; http.content_type; content:"application/soap+xml"; http.request_body; content:"|3c|p|3a|ExecuteShellCommand"; fast_pattern; nocase; content:"|3c|p|3a|command|3e|"; nocase; reference:url,github.com/horizon3ai/CVE-2021-38647/blob/main/omigod.py; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647; reference:url,www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution; reference:cve,2021-38647;
Suricata
ET EXPLOIT Microsoft OMI RCE Exploit Attempt (CVE-2021-38647) M1
suricata·2021-09-15·CVSS 9.8
CVE-2021-38647 [CRITICAL] ET EXPLOIT Microsoft OMI RCE Exploit Attempt (CVE-2021-38647) M1
ET EXPLOIT Microsoft OMI RCE Exploit Attempt (CVE-2021-38647) M1
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft OMI RCE Exploit Attempt (CVE-2021-38647) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wsman"; http.header_names; to_lowercase; content:!"|0d 0a|authorization|0d 0a|"; http.content_type; content:"application/soap+xml"; http.request_body; content:"|3c|p|3a|ExecuteScript"; fast_pattern; nocase; content:"|3c|p|3a|Script|3e|"; nocase; reference:url,attackerkb.com/topics/08O94gYdF1/cve-2021-38647; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647; reference:url,www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution; reference:cve,2021-38647; classtype:attemp
Suricata
ET INFO Possible Microsoft OMI Agent Default TLS Certificate Observed
suricata·2021-09-15·CVSS 9.8
CVE-2021-38647 [CRITICAL] ET INFO Possible Microsoft OMI Agent Default TLS Certificate Observed
ET INFO Possible Microsoft OMI Agent Default TLS Certificate Observed
Rule: alert tls any [5986,5985,1270] -> any any (msg:"ET INFO Possible Microsoft OMI Agent Default TLS Certificate Observed"; flow:established,to_client; tls.cert_subject; content:"cloudapp.net"; tls.cert_issuer; content:".cloudapp.net"; reference:url,attackerkb.com/topics/08O94gYdF1/cve-2021-38647; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647; reference:url,www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution; classtype:bad-unknown; sid:2033955; rev:2; metadata:attack_target Server, created_at 2021_09_15, cve CVE_2021_38647, deployment Perimeter, deployment Internet, confidence Medium, signature_severity Informational, tag CISA_KEV, tag Description_Generated_
Metasploit
Microsoft OMI Management Interface Authentication Bypass
metasploit
Microsoft OMI Management Interface Authentication Bypass
Microsoft OMI Management Interface Authentication Bypass
By removing the authentication header, an attacker can issue an HTTP request to the OMI management endpoint that will cause it to execute an operating system command as the root user. This vulnerability was patched in OMI version 1.6.8-1 (released September 8th 2021).
Nuclei
Microsoft Open Management Infrastructure - Remote Code Execution
nuclei·CVSS 9.8
CVE-2021-38647 [CRITICAL] Microsoft Open Management Infrastructure - Remote Code Execution
Microsoft Open Management Infrastructure - Remote Code Execution
Microsoft Open Management Infrastructure is susceptible to remote code execution (OMIGOD).
Template:
id: CVE-2021-38647
info:
name: Microsoft Open Management Infrastructure - Remote Code Execution
author: daffainfo,xstp
severity: critical
description: Microsoft Open Management Infrastructure is susceptible to remote code execution (OMIGOD).
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code with SYSTEM privileges.
remediation: Updates for this vulnerability were published on GitHub on August 11, 2021.
reference:
- https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647
- https://attack
Wiz
What Are Zero-Day Exploits? | Wiz
blogs_wiz·2025-10-10
What Are Zero-Day Exploits? | Wiz
## What are zero-day exploits?
Zero-day exploits (aka 0-days) pose the ultimate cybersecurity challenge: When attackers weaponize software vulnerabilities that developers, security researchers, and defensive systems haven’t detected, you have exactly zero days of advance warning before the hidden flaws in your software, hardware, or firmware cost you.
## Get a Free 1-on-1 Vulnerability Assessment
Learn what makes Wiz the platform to enable your cloud security operation
Here’s how these attacks unfold:
Attackers discover vulnerabilities through reverse engineering, fuzzing, or analyzing software patches.
They develop reliable exploit code that triggers flaws consistently across diverse environments.
Once perfected, exploits enter active deployment, with threat actors targeting specif
Wiz
What Are Zero-Day Exploits? | Wiz
blogs_wiz·2025-10-10
What Are Zero-Day Exploits? | Wiz
## What are zero-day exploits?
Zero-day exploits (aka 0-days) pose the ultimate cybersecurity challenge: When attackers weaponize software vulnerabilities that developers, security researchers, and defensive systems haven’t detected, you have exactly zero days of advance warning before the hidden flaws in your software, hardware, or firmware cost you.
###### Get a Free 1-on-1 Vulnerability Assessment
Learn what makes Wiz the platform to enable your cloud security operation
Here’s how these attacks unfold:
1. Attackers discover vulnerabilities through reverse engineering, fuzzing, or analyzing software patches.
2. They develop reliable exploit code that triggers flaws consistently across diverse environments.
3. Once perfected, exploits enter active deployment, with threat actors targe
Wiz
Securing Azure middleware agents with new auto-patching capabilities | Wiz Blog
blogs_wiz·2022-08-05·CVSS 7.8
[HIGH] Securing Azure middleware agents with new auto-patching capabilities | Wiz Blog
In the past year, Wiz Research has shed light on cloud middleware , software that brokers between customer workloads and cloud providers’ managed services. The task of updating middleware software is not well defined by the cloud shared responsibility model and customers are often unaware of its existence and the attack surface it may expose.
As new vulnerabilities are discovered in cloud middleware software such as Microsoft OMI (Open Management Infrastructure), used by multiple popular Azure services (Azure Automation, Azure Log analytics Azure Sentinel and more), vendors release patches and customers are required to manually install them. Recently, as part of Microsoft’s June 2022 Patch Tuesday, an update was included to fix CVE-2022-29149 , a new local privilege escalation vulnerabili
Wiz
Securing Azure middleware agents with new auto-patching capabilities | Wiz Blog
blogs_wiz·2022-08-05·CVSS 7.8
[HIGH] Securing Azure middleware agents with new auto-patching capabilities | Wiz Blog
In the past year, Wiz Research has shed light on cloud middleware, software that brokers between customer workloads and cloud providers’ managed services. The task of updating middleware software is not well defined by the cloud shared responsibility model and customers are often unaware of its existence and the attack surface it may expose.
As new vulnerabilities are discovered in cloud middleware software such as Microsoft OMI (Open Management Infrastructure), used by multiple popular Azure services (Azure Automation, Azure Log analytics Azure Sentinel and more), vendors release patches and customers are required to manually install them. Recently, as part of Microsoft’s June 2022 Patch Tuesday, an update was included to fix CVE-2022-29149, a new local privilege escalation vulnerability
Wiz
Revisiting OMI: Analysis of CVE-2022-29149, a privilege escalation vulnerability in Azure OMI | Wiz Blog
blogs_wiz·2022-08-05·CVSS 9.8
CVE-2022-29149 [CRITICAL] Revisiting OMI: Analysis of CVE-2022-29149, a privilege escalation vulnerability in Azure OMI | Wiz Blog
In the last year, we invested time and effort researching cloud middleware , the software that bridges between customers' virtual machines and cloud providers’ managed services.
As part of June 2022 Patch Tuesday, Microsoft published a patch to fix a new privilege escalation vulnerability, CVE-2022-29149 in Open Management Infrastructure (OMI) , with a CVSS score of 7.8 (the highest score possible for vulnerabilities that allow local privilege escalation). OMI is cloud middleware software used by Azure, typically installed on Linux VMs without explicit customer notification, like most other cloud agents . This is the fifth known vulnerability affecting OMI. Wiz Research found and reported the previous four vulnerabilities in June 2021, including an unauthenticated remote code execution vu
Wiz
Revisiting OMI: Analysis of CVE-2022-29149, a privilege escalation vulnerability in Azure OMI | Wiz Blog
blogs_wiz·2022-08-05·CVSS 9.8
CVE-2022-29149 [CRITICAL] Revisiting OMI: Analysis of CVE-2022-29149, a privilege escalation vulnerability in Azure OMI | Wiz Blog
In the last year, we invested time and effort researching cloud middleware, the software that bridges between customers' virtual machines and cloud providers’ managed services.
As part of June 2022 Patch Tuesday, Microsoft published a patch to fix a new privilege escalation vulnerability, CVE-2022-29149 in Open Management Infrastructure (OMI), with a CVSS score of 7.8 (the highest score possible for vulnerabilities that allow local privilege escalation). OMI is cloud middleware software used by Azure, typically installed on Linux VMs without explicit customer notification, like most other cloud agents. This is the fifth known vulnerability affecting OMI. Wiz Research found and reported the previous four vulnerabilities in June 2021, including an unauthenticated remote code execution vulne
Unit42
Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
blogs_unit42·2022-07-21·CVSS 9.8
CVE-2017-5638 [CRITICAL] Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
Threat Research Center
Trend Reports
Vulnerabilities
## Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
Unit 42
Published: July 21, 2022
Trend Reports
Vulnerabilities
Apache Log4j
CVE-2017-5638
CVE-2017-9841
CVE-2018-19986
CVE-2019-02320
CVE-2019-19597
CVE-2019-9082
CVE-2020-14882
CVE-2020-14883
CVE-2020-15505
CVE-2020-15506
CVE-2020-25078
CVE-2020-5902
CVE-2021-21315
CVE-2021-22986
CVE-2021-26855
CVE-2021-31805
CVE-2021-34473
CVE-2021-35464
CVE-2021-38647
CVE-2021-40438
CVE-2021-40539
CVE-2021-41773
CVE-2021-42013
CVE-2021-44228
CVE-2021-45046
CVE-2022-22963
CVE-2022-22965
Network security trends
Unit 42 Network Threat Trends Research Report
## Executive Summary
Tens of thousands of vulnerabilities are repo
Unit42
Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
blogs_unit42·2022-07-21·CVSS 9.8
[CRITICAL] Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
## Executive Summary
Tens of thousands of vulnerabilities are reported every year, but not all are used by threat actors in real-world attacks. There are many reasons for this: a proof of concept (PoC) may not be available for attackers to weaponize, it may be too difficult to exploit the vulnerability, there may be a lack of accessible vulnerable software on the internet, or attackers may simply deem a vulnerability not worth exploiting due to low impact. Real-world defenders need real-world data on which vulnerabilities attackers are choosing to exploit – and where to focus protections.
In the 2022 Unit 42 Network Threat Trends Research Report, we’ve used data captured by the Palo Alto Networks Advanced Threat Prevention security service on Next-Generation Firewall and Prisma SASE from
Unit42
Network Security Trends: November 2021 to January 2022
blogs_unit42·2022-05-31
Network Security Trends: November 2021 to January 2022
Threat Research Center
Threat Research
Vulnerabilities
## Network Security Trends: November 2021 to January 2022
Yue Guan
Published: May 31, 2022
Threat Research
Vulnerabilities
Apache Log4j
Attack analysis
Denial of service
Exploit in Wild
Network security trends
## Executive Summary
Unit 42 researchers continually observe network attacks and search for insights that can assist defenders. Here, we summarize key trends from November 2021 to January 2022. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity distribution. We also classify vulnerabilities to provide a clear view of the prevalence of, for example, cross-site scripting or denial of service.
Cross-site scripting stood out as a commonly used t
Unit42
Network Security Trends: November 2021 to January 2022
blogs_unit42·2022-05-31·CVSS 9.8
[CRITICAL] Network Security Trends: November 2021 to January 2022
## Executive Summary
Unit 42 researchers continually observe network attacks and search for insights that can assist defenders. Here, we summarize key trends from November 2021 to January 2022. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity distribution. We also classify vulnerabilities to provide a clear view of the prevalence of, for example, cross-site scripting or denial of service.
Cross-site scripting stood out as a commonly used technique. Among around 6,443 newly published vulnerabilities, we found that a large portion (almost 10.6%) still involve this technique. However, by evaluating around 167 million attack sessions and focusing on the latest exploits in the wild, we conclude that remote code execution
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Unit42
Network Security Trends: August-October 2021
blogs_unit42·2021-12-21·CVSS 9.8
[CRITICAL] Network Security Trends: August-October 2021
## Executive Summary
Unit 42 researchers continually observe network attacks and search for insights that can assist defenders. Here, we summarize key trends from August-October 2021. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity distribution. We also classify vulnerabilities to provide a clear view of the prevalence of, say, cross-site scripting or denial of service.
Additionally, we provide insight into how the vulnerabilities are actively exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls. For example, we chart a timeframe showing how frequently the most commonly exploited vulnerabilities were attacked through networks and the locations from which the att
Unit42
Network Security Trends: August-October 2021
blogs_unit42·2021-12-21·CVSS 9.8
CVE-2021-24499 [CRITICAL] Network Security Trends: August-October 2021
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: August-October 2021
Yue Guan
Published: December 21, 2021
Trend Reports
Vulnerabilities
Attack analysis
Buffer Overflow
Command injection
Cross-site request forgery
Cross-site scripting
CVE-2021-24499
CVE-2021-26084
CVE-2021-32789
CVE-2021-33357
CVE-2021-33766
CVE-2021-34473
CVE-2021-35395
CVE-2021-38647
CVE-2021-40438
CVE-2021-40870
CVE-2021-41773
CVE-2021-42013
Denial of service
Directory traversal
Exploit in the wild
Improper authentication
Information disclosure
Memory corruption
Network security trends
Out-of-bounds read
Privilege escalation
Remote Code Execution
Security feature bypass
SQL injection
## Executive Summary
Unit 42 researchers continually observe net
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01
## Table of Contents
Overview
Directive Scope
CISA Catalog of Known Exploited Vulnerabilities
Detect CISAs Vulnerabilities Using Qualys VMDR
Remediation
Federal Enterprises and Agencies Can Act Now
Summary
Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01 , “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
#### Table of Contents
- Overview
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISAs Vulnerabilities Using Qualys VMDR
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to
Tenable
Examining the Treat Landscape
blogs_tenable·2021-10-29
Examining the Treat Landscape
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
Threat Source newsletter (Sept. 23, 2021)
blogs_talos·2021-09-23
Threat Source newsletter (Sept. 23, 2021)
## Threat Source newsletter (Sept. 23, 2021)
Good afternoon, Talos readers.
The Russian APT Turla is one of the most notorious threat actors out there today. And they aren't stopping, recently adding a new backdoor to their arsenal that serves as a "last chance" to retain a foothold on victim machines, even after their other malware has been removed.
Elsewhere on the APT landscape, the U.S. Cybersecurity and Infrastructure Security Agency released an advisory warning users and organizations about a recent spike in Conti ransomware attacks. Their report even included a Talos shout-out! If you want to read our recent work on Conti, you can check out our major takeaways from their leaked playbook , and an episode of Talos Takes covering the matter.
## Upcoming Talos public engagements
Ch
Talos
Threat Source newsletter (Sept. 23, 2021)
blogs_talos·2021-09-23
Threat Source newsletter (Sept. 23, 2021)
Good afternoon, Talos readers.
The Russian APT Turla is one of the most notorious threat actors out there today. And they aren't stopping, recently adding a new backdoor to their arsenal that serves as a "last chance" to retain a foothold on victim machines, even after their other malware has been removed.
Elsewhere on the APT landscape, the U.S. Cybersecurity and Infrastructure Security Agency released an advisory warning users and organizations about a recent spike in Conti ransomware attacks. Their report even included a Talos shout-out! If you want to read our recent work on Conti, you can check out our major takeaways from their leaked playbook, and an episode of Talos Takes covering the matter.
## Upcoming Talos public engagements
Chats, Cheats, and Cracks: Abuse of Collaboration
Checkpoint
20th September – Threat Intelligence Report
blogs_checkpoint·2021-09-19·CVSS 7.8
CVE-2021-40444 [HIGH] 20th September – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 20th September – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 20th September, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point Research has seen a global surge in the black market for fake COVID-19 vaccine certificates on Telegram, following US President Biden’s vaccine mandate announcements. The black market has expanded to serve 28 countries, including Austria, UAE, Brazil, UK, Singapore and more. The price for fake vaccine cert
Tenable
CVE-2021-38647 (OMIGOD): Critical Flaw Leaves Azure Linux VMs Vulnerable to Remote Code Execution
blogs_tenable·2021-09-17·CVSS 9.8
[CRITICAL] CVE-2021-38647 (OMIGOD): Critical Flaw Leaves Azure Linux VMs Vulnerable to Remote Code Execution
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Unit42
Threat Brief: OMI Vulnerabilities (CVE-2021-38645, CVE-2021-38647, CVE-2021-38648 and CVE-2021-38649)
blogs_unit42·2021-09-16·CVSS 7.8
CVE-2021-38645 [HIGH] Threat Brief: OMI Vulnerabilities (CVE-2021-38645, CVE-2021-38647, CVE-2021-38648 and CVE-2021-38649)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: OMI Vulnerabilities (CVE-2021-38645, CVE-2021-38647, CVE-2021-38648 and CVE-2021-38649)
Nathaniel Quist
Published: September 16, 2021
Cloud Cybersecurity Research
High Profile Threats
Vulnerabilities
Azure
CVE-2021-38645
CVE-2021-38647
CVE-2021-38648
CVE-2021-38649
OMI
OMIGOD
## Executive Summary
On Sept. 14, 2021, Microsoft’s Security Response Center (MSRC) released security patches detailing the findings of four critical vulnerabilities affecting the Microsoft Azure package Open Management Infrastructure (OMI) . The open-source OMI package is designed to provide a portable infrastructure backbone for web-based management tools, such as diagnostic monitoring, log analytic services and automat
Unit42
Threat Brief: OMI Vulnerabilities (CVE-2021-38645, CVE-2021-38647, CVE-2021-38648 and CVE-2021-38649)
blogs_unit42·2021-09-16·CVSS 7.8
[HIGH] Threat Brief: OMI Vulnerabilities (CVE-2021-38645, CVE-2021-38647, CVE-2021-38648 and CVE-2021-38649)
## Executive Summary
On Sept. 14, 2021, Microsoft’s Security Response Center (MSRC) released security patches detailing the findings of four critical vulnerabilities affecting the Microsoft Azure package Open Management Infrastructure (OMI). The open-source OMI package is designed to provide a portable infrastructure backbone for web-based management tools, such as diagnostic monitoring, log analytic services and automation functionality within UNIX and Linux systems. OMI is used by Microsoft Azure to manage UNIX packages within Azure virtual machines (VMs), containers and serverless cloud instances. According to Microsoft’s security release notes, any system created, or which has updated its OMI package, after Aug. 11, 2021, should automatically be patched.
## Four Critical OMI Vulnerab
Wiz
OMIGOD: Critical Vulnerabilities in OMI Affecting Countless Azure Customers | Wiz Blog
blogs_wiz·2021-09-14·CVSS 7.8
CVE-2021-38647 [HIGH] OMIGOD: Critical Vulnerabilities in OMI Affecting Countless Azure Customers | Wiz Blog
The Wiz Research Team recently found four critical vulnerabilities in OMI, which is one of Azure's most ubiquitous yet least known software agents and is deployed on a large portion of Linux VMs in Azure. The vulnerabilities are very easy to exploit , allowing attackers to remotely execute arbitrary code within the network with a single request and escalate to root privileges.
CVE-2021-38647 – Unauthenticated RCE as root
CVE-2021-38648 – Privilege Escalation vulnerability
CVE-2021-38645 – Privilege Escalation vulnerability
CVE-2021-38649 – Privilege Escalation vulnerability
Many different services in Azure are affected, including Azure Log Analytics , Azure Diagnostics and Azure Security Center , as Microsoft uses OMI extensively behind the scenes as a common component for many of its
Qualys
Microsoft and Adobe Patch Tuesday (September 2021) – Microsoft 60 Vulnerabilities with 3 Critical, Adobe 61 Vulnerabilities
blogs_qualys·2021-09-14·CVSS 8.1
CVE-2021-40444 [HIGH] Microsoft and Adobe Patch Tuesday (September 2021) – Microsoft 60 Vulnerabilities with 3 Critical, Adobe 61 Vulnerabilities
## Microsoft Patch Tuesday – September 2021
Microsoft patched 60 vulnerabilities in their September 2021 Patch Tuesday release, and an additional 26 CVEs since September 1st. Among the 60 released in the September Patch Tuesday, 3 of them are rated as critical severity, one as moderate, and 56 as important.
## Critical Microsoft Vulnerabilities Patched
CVE-2021-40444 – Microsoft MSHTML Remote Code Execution Vulnerability
This vulnerability has been publicly disclosed and is known to be exploited. The vulnerability allows for remote code execution via MSHTML, a component used by Internet Explorer and Office. Microsoft also released a workaround to show how users can disable ActiveX controls in IE. The vendor has assigned a CVSSv3 base score of 8.8. It should be prioritized for patching.
Krebs
Microsoft Patch Tuesday, September 2021 Edition
blogs_krebs·2021-09-14·CVSS 4.2
[MEDIUM] Microsoft Patch Tuesday, September 2021 Edition
Microsoft today pushed software updates to plug dozens of security holes in Windows and related products, including a vulnerability that is already being exploited in active attacks. Also, Apple has issued an emergency update to fix a flaw that’s reportedly been abused to install spyware on iOS products, and Google‘s got a new version of Chrome that tackles two zero-day flaws. Finally, Adobe has released critical security updates for Acrobat, Reader and a slew of other software.
Four of the flaws fixed in this patch batch earned Microsoft’s most-dire “critical” rating, meaning they could be exploited by miscreants or malware to remotely compromise a Windows PC with little or no help from the user.
Top of the critical heap is CVE-2021-40444, which affects the “MSHTML” component of Interne
Talos
Microsoft Patch Tuesday for Sept. 2021 — Snort rules and prominent vulnerabilities
blogs_talos·2021-09-14·CVSS 8.1
CVE-2021-40444 [HIGH] Microsoft Patch Tuesday for Sept. 2021 — Snort rules and prominent vulnerabilities
By Jon Munshaw, with contributions from Holger Unterbrink.
Microsoft released its monthly security update Tuesday, disclosing 85 vulnerabilities across the company’s firmware and software. This month’s release is headlined by an official patch for the critical remote code execution vulnerability disclosed earlier this month in MSHTML.
CVE-2021-40444 is being actively exploited in the wild, according to Microsoft, and proof-of-concept code is now available, potentially widening the potential for attacks exploiting this vulnerability. This is the first official Microsoft update to address this issue. Talos has additional protection available here.
Users should download this patch immediately. Additionally, they can disable the installation of all ActiveX controls in Internet Explorer to m
Trendmicro
September Patch Tuesday: 66 Bulletins, Only 3 Critical
blogs_trendmicro·2021-09-14·CVSS 8.1
[HIGH] September Patch Tuesday: 66 Bulletins, Only 3 Critical
Exploits & Vulnerabilities
# September Patch Tuesday: 66 Bulletins, Only 3 Critical
The September 2021 Patch Tuesday cycle is relatively good news for system administrators with only 66 total bulletins. Perhaps more significantly, only three of these were Critical bulletins.
By: Trend Micro
2021/09/14
Read time: ( words)
Save to Folio
The September 2021 Patch Tuesday cycle is relatively good news for system administrators with only 66 total bulletins. Perhaps more significantly, only three of these were Critical bulletins. Eleven of these bulletins fixed vulnerabilities that were disclosed to Microsoft via the Zero Day Initiative. Overall, the month offers system administrators a chance to catch up on other necessary tasks.
Only 3 Critical Patches for September
As mentioned previou
Talos
Microsoft Patch Tuesday for Sept. 2021 — Snort rules and prominent vulnerabilities
blogs_talos·2021-09-14·CVSS 8.1
CVE-2021-40444 [HIGH] Microsoft Patch Tuesday for Sept. 2021 — Snort rules and prominent vulnerabilities
## Microsoft Patch Tuesday for Sept. 2021 — Snort rules and prominent vulnerabilities
By Jon Munshaw, with contributions from Holger Unterbrink.
Microsoft released its monthly security update Tuesday, disclosing 85 vulnerabilities across the company’s firmware and software. This month’s release is headlined by an official patch for the critical remote code execution vulnerability disclosed earlier this month in MSHTML .
CVE-2021-40444 is being actively exploited in the wild, according to Microsoft, and proof-of-concept code is now available, potentially widening the potential for attacks exploiting this vulnerability. This is the first official Microsoft update to address this issue. Talos has additional protection available here .
Users should download this patch immediately. Addition
Wiz
“Secret” Agent Exposes Azure Customers To Unauthorized Code Execution | Wiz Blog
blogs_wiz·2021-09-14
“Secret” Agent Exposes Azure Customers To Unauthorized Code Execution | Wiz Blog
Update September 18, 08:00AM EST - Microsoft updated its advisory and declared an auto-update for their PaaS service offerings that use vulnerable VM extensions by September 22, 2021. Microsoft also clarified which instances will still require manual patching, see details.
Update September 17, 10:00AM EST - Wiz's threat research team is aware of wide active exploitation attempts of OMIGOD by malicious DDoS botnets (Mirai) and cryptominers. We urge customers to follow the remediation steps below.
Update September 17, 06:00AM EST - Microsoft has started updating impacted Azure services. Azure Log Analytics and others are yet to be patched. Existing machines onboarded to impacted services still require manual update. Follow the updated mitigation guidance by MSRC.
Update September 16, 07
Wiz
“Secret” Agent Exposes Azure Customers To Unauthorized Code Execution | Wiz Blog
blogs_wiz·2021-09-14
“Secret” Agent Exposes Azure Customers To Unauthorized Code Execution | Wiz Blog
Update September 18, 08:00AM EST - Microsoft updated its advisory and declared an auto-update for their PaaS service offerings that use vulnerable VM extensions by September 22, 2021. Microsoft also clarified which instances will still require manual patching, see details.
Update September 17, 10:00AM EST - Wiz's threat research team is aware of wide active exploitation attempts of OMIGOD by malicious DDoS botnets (Mirai) and cryptominers. We urge customers to follow the remediation steps below.
Update September 17, 06:00AM EST - Microsoft has started updating impacted Azure services. Azure Log Analytics and others are yet to be patched. Existing machines onboarded to impacted services still require manual update. Follow the updated mitigation guidance by MSRC.
Update September 16, 07:
Krebs
Microsoft Patch Tuesday, September 2021 Edition
blogs_krebs·2021-09-14·CVSS 4.2
[MEDIUM] Microsoft Patch Tuesday, September 2021 Edition
Microsoft today pushed software updates to plug dozens of security holes in Windows and related products, including a vulnerability that is already being exploited in active attacks. Also, Apple has issued an emergency update to fix a flaw that’s reportedly been abused to install spyware on iOS products, and Google ‘s got a new version of Chrome that tackles two zero-day flaws. Finally, Adobe has released critical security updates for Acrobat , Reader and a slew of other software.
Four of the flaws fixed in this patch batch earned Microsoft’s most-dire “critical” rating, meaning they could be exploited by miscreants or malware to remotely compromise a Windows PC with little or no help from the user.
Top of the critical heap is CVE-2021-40444 , which affects the “MSHTML” component of Inte
Wiz
OMIGOD: Critical Vulnerabilities in OMI Affecting Countless Azure Customers | Wiz Blog
blogs_wiz·2021-09-14·CVSS 7.8
CVE-2021-38647 [HIGH] OMIGOD: Critical Vulnerabilities in OMI Affecting Countless Azure Customers | Wiz Blog
The Wiz Research Team recently found four critical vulnerabilities in OMI, which is one of Azure's most ubiquitous yet least known software agents and is deployed on a large portion of Linux VMs in Azure. The vulnerabilities are very easy to exploit, allowing attackers to remotely execute arbitrary code within the network with a single request and escalate to root privileges.
- CVE-2021-38647 – Unauthenticated RCE as root
- CVE-2021-38648 – Privilege Escalation vulnerability
- CVE-2021-38645 – Privilege Escalation vulnerability
- CVE-2021-38649 – Privilege Escalation vulnerability
Many different services in Azure are affected, including Azure Log Analytics, Azure Diagnostics and Azure Security Center, as Microsoft uses OMI extensively behind the scenes as a common component for many of i
Greynoiseio
Malicious Tag Roundup (Sep 14-30, 2021)
blogs_greynoiseio·CVSS 7.8
[HIGH] Malicious Tag Roundup (Sep 14-30, 2021)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Crowdstrike
September 2021 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] September 2021 Patch Tuesday: Updates and Analysis
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
http://packetstormsecurity.com/files/164694/Microsoft-OMI-Management-Interface-Authentication-Bypass.htmlhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38647http://packetstormsecurity.com/files/164694/Microsoft-OMI-Management-Interface-Authentication-Bypass.htmlhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38647https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38647
2021-09-15
Published
2021-11-03
Added to CISA KEV
Exploited in the wild