A Mirai botnet is abusing recently disclosed vulnerabilities in Open Management Infrastructure (OMI), an open-source Web-Based Enterprise Management (WBEM). The exploited vulnerabilities are called OMIGOD and were disclosed recently by Microsoft.

What has happened?

According to researchers, Mirai operators had already started exploiting systems exposed to the OMIGOD vulnerability days after it was disclosed. The flaws were discovered by Wiz and named OMIGOD.
  • The flaw, tracked as CVE-2021-38647, exists in OMI, which is used in multiple Azure services and VM management extensions.
  • Besides, there are other three flaws (CVE-2021-38648, CVE-2021-38645, and CVE-2021-38649) that allow an attacker to elevate privileges.
  • OMIGOD flaw affects customers using Linux management solution on-premises SCOM, Azure Desired State Configuration extension, and Automation State Configuration, used for remote management.

Furthermore, the botnet closes port 5896 to stop other attackers from abusing it.

Advisory notes

  • The exploited vulnerabilities have already been addressed by Microsoft in the September 2021 Patch Tuesday release.
  • Additionally, customers with OMI listening on ports 1270, 5985, and 5986 are advised to limit network access to those ports as soon as possible to stay protected from CVE-2021-38647.
  • The tech giant has released a patched OMI version (1.6.8-1) addressing the flaws. Moreover, the tech firm suggested customers update OMI manually with suggested steps.


The recently discovered flaws are already being exploited in the wild, which makes it important for users to update their software at the earliest. Moreover, there is no auto-update mechanism for Microsoft to fix the exposed agents on all Azure Linux machines. Therefore, customers have to update manually to protect endpoints from OMIGOD exploits.

Cyware Publisher