Cyber Resilience

CVE-2021-38647

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 15 September 2021

Published
15 September 2021
Modified
30 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9439 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-38647 is a critical-severity an unspecified weakness vulnerability in Microsoft Azure Automation State Configuration. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2021-38647 is a remote code execution vulnerability in Open Management Infrastructure (OMI), a component used in multiple Microsoft Azure services and Linux management agents. The flaw carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low attack complexity, no required privileges or user interaction, and full impact on confidentiality, integrity, and availability.

An unauthenticated attacker with network access to an exposed OMI management interface can exploit the issue to bypass authentication and execute arbitrary code on the affected system. Public exploit code referencing an authentication bypass in the OMI management interface has been published, confirming the practical attack path.

Microsoft published an advisory detailing the vulnerability and available updates, while CISA added CVE-2021-38647 to its catalog of known exploited vulnerabilities, indicating confirmed in-the-wild exploitation.

EU & UK References

Vulnerability details

Open Management Infrastructure Remote Code Execution Vulnerability

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
azure automation state configuration
all versions
microsoft
azure automation update management
all versions
microsoft
azure diagnostics \(lad\)
all versions
microsoft
azure open management infrastructure
all versions
microsoft
azure security center
all versions
microsoft
azure sentinel
all versions
microsoft
azure stack hub
all versions
microsoft
container monitoring solution
all versions
microsoft
log analytics agent
all versions
microsoft
system center operations manager
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization on the OMI management interface, blocking the unauthenticated remote code execution path described in the CVE.

prevent

Requires prompt application of vendor patches to eliminate the OMI RCE flaw before unauthenticated attackers can exploit it.

prevent

Restricts network exposure of the OMI management port to only authorized sources, reducing the attack surface for the network-based exploit.

References