Microsoft’s guidance was published just as researchers noticed that one of the vulnerabilities is already being exploited in the wild. It appears that the Mirai botnet is attempting to compromise vulnerable systems and that it also closes port 5896 (OMI SSL port) to keep other attackers out.

An open-source Web-Based Enterprise Management (WBEM) implementation, OMI allows for the management of Linux and UNIX systems and is used in various Azure services and Azure Virtual Machine (VM) management extensions.

As part of the September 2021 patches, Microsoft addressed four issues in OMI, one critical bug leading to unauthenticated remote code execution and three high-severity flaws allowing an attacker to elevate privileges. The issues were identified by security researchers with Wiz, which named the RCE defect OMIGOD.