Login Sign Up

CVE-2022-28316

7.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

CVE-2022-28316 is a buffer overflow vulnerability in Bentley MicroStation CONNECT that allows remote code execution when users open malicious IFC files. Attackers can exploit this to execute arbitrary code with the privileges of the current user. Users of affected Bentley MicroStation versions are at risk.

💻 Affected Systems

Products:
  • Bentley MicroStation CONNECT
Versions: 10.16.02.34 and earlier versions
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of affected versions are vulnerable when processing IFC files.

📦 What is this software?

Microstation by Bentley

View all CVEs affecting Microstation →

View by Bentley

View all CVEs affecting View →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation leading to unauthorized access to sensitive engineering data, system disruption, or installation of malware.

🟢

If Mitigated

Limited impact with proper network segmentation and user privilege restrictions, potentially only affecting the individual workstation.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction (opening malicious file) but the vulnerability is well-documented and weaponization is likely given the RCE potential.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.16.02.35 and later

Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0006

Restart Required: Yes

Instructions:

1. Download the latest version from Bentley's official website or update through Bentley CONNECTION Client. 2. Install the update following Bentley's installation instructions. 3. Restart the system to complete the installation.

🔧 Temporary Workarounds

Restrict IFC file processing

windows

Block or restrict processing of IFC files through application controls or file type restrictions

User awareness training

all

Train users to avoid opening IFC files from untrusted sources

🧯 If You Can't Patch

  • Implement application whitelisting to prevent execution of unauthorized code
  • Restrict user privileges to limit potential damage from successful exploitation

🔍 How to Verify

Check if Vulnerable:

Check MicroStation version in Help > About MicroStation. If version is 10.16.02.34 or earlier, the system is vulnerable.

Check Version:

In MicroStation: Help > About MicroStation

Verify Fix Applied:

Verify version is 10.16.02.35 or later in Help > About MicroStation.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process creation from MicroStation
  • Multiple failed IFC file parsing attempts
  • Abnormal memory usage patterns in MicroStation process

Network Indicators:

  • Unexpected outbound connections from MicroStation
  • File downloads of IFC files from untrusted sources

SIEM Query:

Process Creation where ParentImage contains "ustation.exe" AND CommandLine contains unusual parameters

📊 Metadata

CVE ID: CVE-2022-28316
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: March 29, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28316, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)