Arbitrary Code Execution in Bentley MicroStation Software
CVE-2022-28643

7.8HIGH

Key Information:

Vendor
Bentley
Vendor
CVE Published:
29 March 2023

Summary

This vulnerability in Bentley MicroStation CONNECT allows remote attackers to execute arbitrary code through specially crafted DGN files. The exploit requires user interaction, making it essential for the victim to open a malicious file or visit an infected page. The underlying issue arises from improper parsing that leads to a buffer overflow, enabling the execution of unauthorized commands within the context of the current process.

Affected Version(s)

MicroStation CONNECT 10.16.02.34

References

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database

Credit

Mat Powell of Trend Micro Zero Day Initiative
.