Login Sign Up

CVE-2022-28310

7.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2022-28310 is a use-after-free vulnerability in Bentley MicroStation CONNECT that allows remote code execution when a user opens a malicious SKP file. Attackers can exploit this to execute arbitrary code with the privileges of the current user. This affects users of Bentley MicroStation CONNECT who open untrusted SKP files.

💻 Affected Systems

Products:
  • Bentley MicroStation CONNECT
Versions: 10.16.02.034 and earlier versions
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of affected versions are vulnerable when processing SKP files.

📦 What is this software?

Microstation by Bentley

View all CVEs affecting Microstation →

View by Bentley

View all CVEs affecting View →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary code execution with user privileges, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Malware installation or data exfiltration when users open malicious SKP files from untrusted sources.

🟢

If Mitigated

Limited impact with proper patching and user awareness training about opening untrusted files.

🌐 Internet-Facing: MEDIUM - Requires user interaction (opening malicious file) but can be delivered via email or web downloads.
🏢 Internal Only: MEDIUM - Internal users could be tricked into opening malicious files via phishing or shared drives.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires user interaction to open malicious SKP file. ZDI-CAN-16339 indicates professional research.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to version 10.16.02.035 or later

Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0009

Restart Required: Yes

Instructions:

1. Download latest MicroStation CONNECT update from Bentley Systems. 2. Run installer with administrative privileges. 3. Restart system after installation completes.

🔧 Temporary Workarounds

Block SKP file extensions

windows

Prevent processing of SKP files via application control or email filtering

User awareness training

all

Train users not to open SKP files from untrusted sources

🧯 If You Can't Patch

  • Implement application whitelisting to block MicroStation execution
  • Use network segmentation to isolate MicroStation systems from critical assets

🔍 How to Verify

Check if Vulnerable:

Check MicroStation version via Help > About. If version is 10.16.02.034 or earlier, system is vulnerable.

Check Version:

Not applicable - check via GUI Help > About menu

Verify Fix Applied:

Verify version is 10.16.02.035 or later in Help > About dialog.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected MicroStation crashes when opening SKP files
  • Process creation from MicroStation with unusual command lines

Network Indicators:

  • Downloads of SKP files from untrusted sources
  • Outbound connections from MicroStation process to unknown IPs

SIEM Query:

Process creation where parent_process contains 'MicroStation' and command_line contains unusual patterns

📊 Metadata

CVE ID: CVE-2022-28310
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: March 29, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28310, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)