Cyber Resilience

CVE-2021-38649

HighCISA KEVActive ExploitationEUVD Exploited

Published: 15 September 2021

Published
15 September 2021
Modified
30 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0673 91.5th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-38649 is a high-severity an unspecified weakness vulnerability in Microsoft Azure Automation State Configuration. Its CVSS base score is 7.0 (High).

Operationally, ranked in the top 8.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2021-38649 is an elevation of privilege vulnerability affecting the Open Management Infrastructure component. It carries a CVSS 3.1 base score of 7.0 with the vector AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating that successful exploitation can allow an attacker to obtain full control over confidentiality, integrity, and availability on the affected system.

A local attacker with low privileges can exploit the flaw, though the attack requires high complexity and no user interaction. Successful exploitation enables the attacker to elevate privileges on the target system to achieve high impact across confidentiality, integrity, and availability.

Microsoft security guidance and the CISA Known Exploited Vulnerabilities catalog reference this issue, confirming that it has been observed in real-world exploitation and directing administrators to apply available updates or mitigations through official Microsoft channels.

EU & UK References

Vulnerability details

Open Management Infrastructure Elevation of Privilege Vulnerability

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
azure automation state configuration
all versions
microsoft
azure automation update management
all versions
microsoft
azure diagnostics \(lad\)
all versions
microsoft
azure open management infrastructure
all versions
microsoft
azure security center
all versions
microsoft
azure sentinel
all versions
microsoft
azure stack hub
all versions
microsoft
container monitoring solution
all versions
microsoft
log analytics agent
all versions
microsoft
system center operations manager
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patches that close the OMI privilege-escalation flaw.

prevent

Enforces least-privilege restrictions so a low-privileged local account cannot obtain the elevated rights the vulnerability would otherwise grant.

prevent

Access-enforcement mechanisms block the unauthorized elevation path that the OMI flaw exploits.

References