CVE-2021-38647
CVE-2021-38647 is a critical-severity vulnerability in Microsoft Azure Automation State Configuration with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03).
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 7.5
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2021-25086
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Affected product: Microsoft Azure Automation State Configuration
- Published:
- Last modified:
Description
Open Management Infrastructure Remote Code Execution Vulnerability
CVE-2021-38647: Open Management Infrastructure Remote Code Execution Vulnerability
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2021-38647 |
| CVSS v3 | 9.8 (CRITICAL) |
| EPSS | 0.99723 (99.952 percentile) |
| KEV | Yes (added 2021-11-03) |
| Assigner | Microsoft ([email protected]) |
| Published | 2021-09-15 |
Summary
Open Management Infrastructure (OMI) contains a remote code execution vulnerability that allows an unauthenticated attacker to execute arbitrary code with elevated privileges.
Background
Microsoft Open Management Infrastructure (OMI) is an open-source management agent used across multiple Azure services, including Azure Automation, Azure Security Center, Azure Sentinel, Azure Stack Hub, and System Center Operations Manager. The agent provides remote management capabilities for systems running these services. This vulnerability was disclosed in September 2021.
Root Cause
The specific weakness underlying this vulnerability was not disclosed with a CWE identifier in the available data. The vulnerability is classified as a remote code execution issue in the OMI management interface, enabling unauthorized access to the agent's execution functionality. In the absence of a confirmed CWE, defenders should treat this as a critical authentication weakness in a management interface.
Impact
CVSS 3.1 score: 9.8 (CRITICAL). The vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates:
- Attack Vector: Network — exploitable remotely without local access.
- Attack Complexity: Low — no special conditions or advanced preparation required.
- Privileges Required: None — no authentication needed.
- User Interaction: None — fully automated.
- Scope: Unchanged.
- Confidentiality, Integrity, Availability: All rated HIGH.
This is a maximum-severity vulnerability allowing complete system compromise by an unauthenticated remote attacker.
Exploitation Walkthrough
Defensive Analysis Only. This section describes the attack surface for defenders and detection engineers. No weaponized code or step-by-step exploitation instructions are provided.
The vulnerability is exposed through the OMI management interface, which is deployed as part of the Azure Log Analytics Agent and other Microsoft monitoring solutions. An unauthenticated attacker on the network can send a specially crafted request to the OMI agent to execute commands with elevated privileges. Successful exploitation grants complete control over the underlying host.
Ethics caveat: This vulnerability is a known, actively exploited flaw. Attempting to exploit it on systems you do not own or have explicit permission to test is illegal and unethical.
Affected and Patched Versions
Specific version ranges for affected and patched releases were not available in the source data. The following products and services are confirmed vulnerable based on CPE data:
- Microsoft Azure Automation State Configuration
- Microsoft Azure Automation Update Management
- Microsoft Azure Diagnostics (LAD)
- Microsoft Azure Open Management Infrastructure
- Microsoft Azure Security Center
- Microsoft Azure Sentinel
- Microsoft Azure Stack Hub
- Microsoft Container Monitoring Solution
- Microsoft Log Analytics Agent
- Microsoft System Center Operations Manager
Administrators should verify the specific patch level for their deployment through Microsoft security guidance.
Remediation
- Upgrade immediately: Apply the latest Microsoft security update for the Log Analytics Agent and any affected Azure management extensions. Verify that the OMI agent is updated to the patched version.
- Compensating controls: Until patching is complete:
- Restrict network access to the OMI management interface using host firewalls or network security groups to only trusted management hosts.
- Disable or uninstall the OMI agent on systems where it is not required.
- Monitor Azure VM extensions and remove unused diagnostic or monitoring extensions.
Detection
- Monitor for unexpected inbound connections to OMI management interfaces from untrusted network segments.
- Review authentication and authorization logs for the OMI agent for anomalous access patterns.
- Audit process execution for child processes spawned by the OMI agent or related services.
- Leverage Microsoft Defender for Endpoint or equivalent EDR solutions to detect post-exploitation behavior on systems running the Log Analytics Agent.
Assessment
CVE-2021-38647 is a critical, actively exploited vulnerability. With an EPSS of 0.99723 and inclusion in CISA's Known Exploited Vulnerabilities Catalog, this flaw represents one of the highest-risk issues in the Azure management ecosystem. Organizations should prioritize patching and network segmentation for any system running the OMI agent.
Lessons:
- Management agents are high-value targets: Remote management interfaces require rigorous authentication and should never be exposed to untrusted networks.
- Supply chain visibility matters: OMI is a dependency of multiple Azure services. Vulnerabilities in shared agents can cascade across an entire cloud estate.
References
Frequently asked questions
- What is CVE-2021-38647?
- Open Management Infrastructure Remote Code Execution Vulnerability
- How severe is CVE-2021-38647?
- CVE-2021-38647 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2021-38647 being actively exploited?
- Yes. CVE-2021-38647 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-38647?
- CVE-2021-38647 primarily affects Microsoft Azure Automation State Configuration. In total, 10 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-38647?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-38647 have an EU (EUVD) identifier?
- Yes. CVE-2021-38647 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-25086. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2021-38647 published?
- CVE-2021-38647 was published on 2021-09-15 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/164694/Microsoft-OMI-Management-Interface-Authentication-Bypass.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38647
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38647
Affected products (10)
- cpe:2.3:a:microsoft:azure_automation_state_configuration:-:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:azure_automation_update_management:-:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:azure_diagnostics_\(lad\):-:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:azure_open_management_infrastructure:-:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:azure_security_center:-:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:azure_sentinel:-:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:azure_stack_hub:-:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:container_monitoring_solution:-:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:log_analytics_agent:-:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:system_center_operations_manager:-:*:*:*:*:*:*:*
More vulnerabilities in Microsoft Azure Automation State Configuration
- CVE-2022-29149 — High (CVSS 7.8): Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability
- CVE-2021-38648 — High (CVSS 7.8): Open Management Infrastructure Elevation of Privilege Vulnerability
- CVE-2021-38645 — High (CVSS 7.8): Open Management Infrastructure Elevation of Privilege Vulnerability
- CVE-2021-38649 — High (CVSS 7.0): Open Management Infrastructure Elevation of Privilege Vulnerability
All CVEs affecting Microsoft Azure Automation State Configuration →