CVE-2021-46574
📋 TL;DR
This is a remote code execution vulnerability in Bentley MicroStation CONNECT software. Attackers can execute arbitrary code by tricking users into opening malicious JT files. Users of affected Bentley MicroStation versions are at risk.
💻 Affected Systems
- Bentley MicroStation CONNECT
📦 What is this software?
View by Bentley
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation leading to data exfiltration, installation of backdoors, or disruption of engineering workflows.
If Mitigated
Limited impact with proper network segmentation, application whitelisting, and user training preventing successful exploitation.
🎯 Exploit Status
User interaction required (opening malicious file), but exploitation is straightforward once the file is opened.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.16.0.80 or later with security updates
Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005
Restart Required: Yes
Instructions:
1. Download the latest MicroStation CONNECT update from Bentley's official website. 2. Run the installer with administrative privileges. 3. Restart the system after installation completes.
🔧 Temporary Workarounds
Disable JT file association
windowsRemove JT file type association with MicroStation to prevent automatic opening
Control Panel > Default Programs > Associate a file type or protocol with a program > Select .jt > Change program > Choose another application
Application control policy
windowsUse Windows AppLocker or similar to restrict MicroStation execution to trusted locations
🧯 If You Can't Patch
- Implement strict network segmentation to isolate MicroStation workstations
- Deploy email/web filtering to block JT files from untrusted sources
🔍 How to Verify
Check if Vulnerable:
Check MicroStation version via Help > About MicroStation. If version is 10.16.0.80 or earlier, system is vulnerable.Check Version:
In MicroStation: Help > About MicroStationVerify Fix Applied:
Verify version is updated beyond 10.16.0.80 and check Bentley security advisory for specific patch details.📡 Detection & Monitoring
Log Indicators:
- Unexpected process crashes of MicroStation.exe
- Unusual file access patterns for .jt files
- Suspicious child processes spawned from MicroStation
Network Indicators:
- Unexpected outbound connections from MicroStation workstations
- JT file downloads from untrusted sources
SIEM Query:
Process creation where parent_process_name contains 'MicroStation' AND (process_name NOT IN ('expected_child_processes'))