CVE-2021-22504
Description
Remote code execution vulnerability in Micro Focus Operations Bridge Manager allows unauthenticated attackers to execute arbitrary code on the server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Remote code execution vulnerability in Micro Focus Operations Bridge Manager allows unauthenticated attackers to execute arbitrary code on the server.
Vulnerability
A critical arbitrary code execution vulnerability exists in Micro Focus Operations Bridge Manager (OBM). The flaw affects versions 10.1x, 10.6x, 2018.05, 2018.11, 2019.05, 2019.11, 2020.05, and 2020.10. An unauthenticated remote attacker can exploit this vulnerability without any special configuration or user interaction [1].
Exploitation
An attacker with network access to the OBM server can send specially crafted requests to trigger the vulnerability. No authentication or prior knowledge is required. The CVSS v3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) indicates low attack complexity and no user interaction, making exploitation straightforward [1].
Impact
Successful exploitation allows the attacker to execute arbitrary code on the OBM server with full system privileges. This results in complete compromise of confidentiality, integrity, and availability of the affected system. The attacker can install malware, modify data, or disrupt operations [1].
Mitigation
Micro Focus has released patches for all affected versions. Users should apply the latest updates as provided in the vendor's security bulletin [1]. If patching is not immediately possible, restrict network access to the OBM server and monitor for suspicious activity. No workarounds are documented.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: 10.1x, 10.6x, 2018.05, 2018.11, 2019.05, 2019.11, 2020.05, 2020.10
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The advisory does not disclose the root cause; the vulnerability allows remote unauthenticated attackers to execute arbitrary code on an OBM server."
Attack vector
A remote, unauthenticated attacker can exploit this vulnerability over the network to execute arbitrary code on an OBM server [ref_id=1]. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) indicates no authentication or user interaction is required, and the attack complexity is low [ref_id=1]. The advisory does not disclose the specific protocol or payload shape.
Affected code
The advisory does not specify the exact file paths or functions at fault. The vulnerability affects Micro Focus Operations Bridge Manager versions 10.1x, 10.6x, 2018.05, 2018.11, 2019.05, 2019.11, 2020.05, and 2020.10.
What the fix does
The advisory directs customers to a separate knowledge base article (KM03777230) for the resolution [ref_id=1]. No patch diff is provided in this bundle, so the exact code changes are unknown. The fix likely addresses the input validation or access control flaw that allowed unauthenticated remote code execution.
Preconditions
- networkThe attacker must be able to reach the OBM server over the network.
- authNo authentication or user interaction is required.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- softwaresupport.softwaregrp.com/doc/KM03777855mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.