Cyber Resilience

CVE-2021-22506

HighCISA KEVActive ExploitationEUVD Exploited

Published: 26 March 2021

Published
26 March 2021
Modified
27 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.1055 93.4th percentile
Risk Priority 41 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-22506 is a high-severity an unspecified weakness vulnerability in Microfocus Access Manager. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 6.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).

Deeper analysis

The vulnerability is an information leakage issue in the Micro Focus Access Manager product, affecting all versions prior to 5.0 when advanced configuration options are enabled. It is tracked as CVE-2021-22506 with a CVSS 3.1 score of 7.5 reflecting network-accessible attack vectors that require no authentication or user interaction.

An unauthenticated remote attacker can exploit the flaw over the network to obtain sensitive information that would otherwise remain protected, resulting in high confidentiality impact without affecting integrity or availability.

Micro Focus release notes for version 5.0 address the issue through product updates, while CISA includes the CVE in its catalog of known exploited vulnerabilities, confirming active real-world exploitation and the need for prioritized remediation by affected organizations.

EU & UK References

Vulnerability details

Advance configuration exposing Information Leakage vulnerability in Micro Focus Access Manager product, affects all versions prior to version 5.0. The vulnerability could cause information leakage.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microfocus
access manager
≤ 5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access control decisions to block unauthenticated network requests that would otherwise leak sensitive information from the Access Manager product.

prevent

Enforces information flow policies to stop unauthorized disclosure of data exposed by the advanced-configuration flaw.

prevent

Boundary protection mechanisms can restrict network-accessible interfaces that the unauthenticated attacker uses to obtain the leaked information.

References