CVE-2021-38648

HIGH KEV

Microsoft OMI Management Interface Authentication Bypass

Title source: metasploit

Exploitation Summary

CVE-2021-38648 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 1 public exploit from researchers including Nir Ohfeld, Shir Tamari, Spencer McIntyre, including a Metasploit module exploits/linux/local/cve_2021_38648_omigod.

AI-analyzed exploit summary This Metasploit module exploits CVE-2021-38648, an authentication bypass in Microsoft OMI, allowing command execution as root via the local OMI management socket. It supports both direct command execution and payload droppers for Linux systems.

Description

Open Management Infrastructure Elevation of Privilege Vulnerability

Exploits (1)

metasploit WORKING POC EXCELLENT

by Nir Ohfeld, Shir Tamari, Spencer McIntyre · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/cve_2021_38648_omigod.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2021-38648, an authentication bypass in Microsoft OMI, allowing command execution as root via the local OMI management socket. It supports both direct command execution and payload droppers for Linux systems.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft OMI versions < 1.6.8-1

No auth needed

Prerequisites: Local access to the target system · OMI server running and accessible via socket · Python binary available on the target

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Patch, Vendor Advisory x_refsource_misc

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38648

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/164925/Microsoft-OMI-Management-Interface-Authentication-Bypass.html

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-38648

Scores

CVSS v3 7.8

EPSS 0.1093

EPSS Percentile 95.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-09-17

InTheWild.io 2021-11-03

ENISA EUVD EUVD-2021-25087

Status published

Products (10)

microsoft/azure_automation_state_configuration

microsoft/azure_automation_update_management

microsoft/azure_diagnostics_\(lad\)

microsoft/azure_open_management_infrastructure

microsoft/azure_security_center

microsoft/azure_sentinel

microsoft/azure_stack_hub

microsoft/container_monitoring_solution

microsoft/log_analytics_agent

microsoft/system_center_operations_manager

Published Sep 15, 2021

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026