cbcvebase.
CVE-2021-38647
published 2021-09-15

CVE-2021-38647: Open Management Infrastructure Remote Code Execution Vulnerability

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
99.72%
100.0th percentile
Open Management Infrastructure Remote Code Execution Vulnerability

Affected

20 ranges
VendorProductVersion rangeFixed in
microsoftazure_automation_update_management>= 1.0.0 < OMS Agent for Linux GA v1.13.40-0OMS Agent for Linux GA v1.13.40-0
microsoftazure_diagnostics>= 3.0.0 < LAD v4.0.13 and LAD v3.0.135LAD v4.0.13 and LAD v3.0.135
microsoftazure_security_center>= 1.0.0 < OMS Agent for Linux GA v1.13.40-0OMS Agent for Linux GA v1.13.40-0
microsoftazure_sentinel>= 1.0.0 < OMS Agent for Linux GA v1.13.40-0OMS Agent for Linux GA v1.13.40-0
microsoftazure_stack_hub>= 1.0.0 < Monitor, Update and Config Mgmnt 1.14.01Monitor, Update and Config Mgmnt 1.14.01
microsoftazure_stack_hub>= 1.0.0 < 3.1.1353.1.135
microsoftcontainer_monitoring_solution>= 1.0.0 < publicationpublication
microsoftlog_analytics_agent>= 1.0.0 < OMS Agent for Linux GA v1.13.40-0OMS Agent for Linux GA v1.13.40-0
microsoftopen_management_infrastructure>= 16.0 < OMI Version 1.6.8-1OMI Version 1.6.8-1
microsoftsystem_center_operations_manager>= 1.0.0 < OMI version: 1.6.8-1OMI version: 1.6.8-1
msrcazure_automation_state_configuration_dsc_extension
msrcazure_automation_update_management
msrcazure_diagnostics
msrcazure_security_center
msrcazure_sentinel
msrcazure_stack_hub
msrccontainer_monitoring_solution
msrclog_analytics_agent
msrcopen_management_infrastructure
msrcsystem_center_operations_manager

Detection & IOCsextracted from sources · hover to see the quote

port5986
port5985
versionOMI 1.6.8.0 and below
path/opt/omi/bin/omicli
snort
58169
  • Monitor for unexpected processes spawned as uid=0/gid=0 from the OMI server process (omiserver/omiengine), especially shell command execution (e.g., /bin/id or similar) that would indicate successful RCE exploitation.
  • Detect exploitation by monitoring for SCX_OperatingSystem ExecuteShellCommand invocations arriving without a valid Authorization header on OMI HTTPS ports.
  • Monitor for Mirai botnet activity targeting OMI ports, as the Mirai botnet was observed launching mass exploitation attempts against CVE-2021-38647.
  • Use GreyNoise GNQL query 'cve:CVE-2021-38647' to identify opportunistic scanning and exploitation IPs targeting this vulnerability.
  • Check for OMI versions 1.6.8.0 and below on Linux VMs; presence of these versions indicates a vulnerable and potentially exploitable host.
  • ·CVE-2021-38647 RCE is only exploitable remotely when OMI exposes HTTPS management ports (5986/5985/1270) externally. Most Azure services deploy OMI without exposing these ports, limiting those deployments to local privilege escalation only.
  • ·The OMI agent is silently installed without customer knowledge when certain Azure services are enabled on Linux VMs, meaning affected hosts may not be visible in standard asset inventories.
  • ·A patch-fixing commit was silently pushed to the OMI GitHub repository on August 12, 2021 — over a month before the official patch — potentially allowing threat actors to develop exploits from the diff before any customer notification.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_msrc9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.