IRONSMITHINTEL
HIGHCVSS7.8
|
Actively Exploited
|CISA KEV|CVE-2021-38648|Auth: low — authenticated user|Reboot: required|Manual only

Microsoft Open Management Infrastructure (OMI) < 3.1.135 — PE

Microsoft Open Management Infrastructure (OMI) within Azure VM Management Extensions contains an unspecified vulnerability allowing privilege escalation.

Published Sep 15, 2021 · Updated May 16, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

A local attacker, with a low-privilege account, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. Federal agencies are required to remediate by 2021-11-17 under CISA BOD 22-01.

How the attack worksNo clicks needed

This vulnerability affects Microsoft Open Management Infrastructure (OMI). Open Management Infrastructure Elevation of Privilege Vulnerability Exploitation requires local access, low attack complexity, a low-privilege authenticated account, and no user interaction required.

Am I affected?Quick check

Probably yes if any of these apply:

IT Security
Running azure automation state configuration: -; azure automation update management: -; azure diagnostics \(lad\): -; azure open management infrastructure: -; azure security center: -; azure sentinel: -; azure stack hub: -; container monitoring solution: -; log analytics agent: -; system center operations manager: -
Fixed in3.1.135, DSC Agent versions: 2.71.1.25, 2.70.0.30, 3.0.0.3, LAD v4.0.13 and LAD v3.0.135
Real-world incidentsWhat we've seen

Active exploitation documented in the wild. Threat-research write-up: http://packetstormsecurity.com/files/164925/Microsoft-OMI-Management-Interface-Authentication-Bypass.html

How to patch

Manual remediation steps

Apply the Microsoft Security Update

This vulnerability is fixed by Microsoft's official security update.

Affected Products

    1
    Azure Automation State Configuration, DSC Extension
    1
    Azure Automation Update Management
    1
    Azure Diagnostics (LAD)
    1
    Azure Security Center
    1
    Azure Sentinel
    1
    Azure Stack Hub
    1
    Container Monitoring Solution
    1
    Log Analytics Agent
    1
    Open Management Infrastructure
    1
    System Center Operations Manager (SCOM)

Installation Methods

Windows Update (recommended)

1
Open Settings → Windows Update → Check for updates
2
The security update will be offered if applicable to your system
3
Restart when prompted

Microsoft Download Links

    1
    https://github.com/microsoft/omi-kits/tree/master/release

Verification

Confirm the update is installed:

Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10

References

    1
    Microsoft Security Response Center: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38648
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2021-38648
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38648

Discovery Credit

<a href="https://twitter.com/shirtamari">Shir Tamari</a> with <a href="https://wiz.io">Wiz.io</a>, <a href="https://twitter.com/nirohfeld">Nir Ohfeld</a> with <a href="https://wiz.io">Wiz.io</a>

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2021-38648MSRC AdvisoryNVD