IRONSMITHINTEL
CRITICALCVSS9.8
|
Actively Exploited
|CISA KEV|CVE-2021-38647|Auth: none — unauthenticated|Reboot: required|Manual only

Microsoft Open Management Infrastructure (OMI) < 3.1.135 — RCE

Microsoft Open Management Infrastructure (OMI) within Azure VM Management Extensions contains an unspecified vulnerability allowing remote code execution.

Published Sep 15, 2021 · Updated May 16, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

A remote attacker, without authentication, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. CISA has confirmed use of this vulnerability in known ransomware campaigns — treat as high priority for remediation. Federal agencies are required to remediate by 2021-11-17 under CISA BOD 22-01.

How the attack worksNo clicks needed

This vulnerability affects Microsoft Open Management Infrastructure (OMI). Open Management Infrastructure Remote Code Execution Vulnerability Exploitation requires remote network access, low attack complexity, no authentication required, and no user interaction required.

📧

Phishing link

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

IT Security
Running azure automation state configuration: -; azure automation update management: -; azure diagnostics \(lad\): -; azure open management infrastructure: -; azure security center: -; azure sentinel: -; azure stack hub: -; container monitoring solution: -; log analytics agent: -; system center operations manager: -
Fixed in3.1.135, DSC Agent versions: 2.71.1.25, 2.70.0.30, 3.0.0.3, LAD v4.0.13 and LAD v3.0.135
Real-world incidentsWhat we've seen

Used in known ransomware campaigns. Threat-research write-up: http://packetstormsecurity.com/files/164694/Microsoft-OMI-Management-Interface-Authentication-Bypass.html

How to patch

Manual remediation steps

Apply the Microsoft Security Update

This vulnerability is fixed by Microsoft's official security update.

Affected Products

    1
    Azure Automation State Configuration, DSC Extension
    1
    Azure Automation Update Management
    1
    Azure Diagnostics (LAD)
    1
    Azure Security Center
    1
    Azure Sentinel
    1
    Azure Stack Hub
    1
    Container Monitoring Solution
    1
    Log Analytics Agent
    1
    Open Management Infrastructure
    1
    System Center Operations Manager (SCOM)

Installation Methods

Windows Update (recommended)

1
Open Settings → Windows Update → Check for updates
2
The security update will be offered if applicable to your system
3
Restart when prompted

Microsoft Download Links

    1
    https://github.com/microsoft/omi-kits/tree/master/release

Verification

Confirm the update is installed:

Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10

References

    1
    Microsoft Security Response Center: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38647
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2021-38647
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38647

Discovery Credit

<a href="https://twitter.com/shirtamari">Shir Tamari</a> with <a href="https://wiz.io">Wiz.io</a>, <a href="https://twitter.com/nirohfeld">Nir Ohfeld</a> with <a href="https://wiz.io">Wiz.io</a>

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2021-38647MSRC AdvisoryNVD