Login Sign Up

CVE-2022-28644

7.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

CVE-2022-28644 is a buffer overflow vulnerability in Bentley MicroStation CONNECT that allows remote code execution when users open malicious DGN files. Attackers can exploit this to execute arbitrary code with the privileges of the current user. Users of affected Bentley MicroStation versions are at risk.

💻 Affected Systems

Products:
  • Bentley MicroStation CONNECT
Versions: 10.16.02.34 and earlier versions
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of affected versions are vulnerable by default when processing DGN files.

📦 What is this software?

Microstation by Bentley

View all CVEs affecting Microstation →

View by Bentley

View all CVEs affecting View →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation leading to unauthorized access to sensitive engineering data, system disruption, or malware installation.

🟢

If Mitigated

Limited impact with proper security controls, potentially only application crash or denial of service.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (opening malicious file) but the vulnerability itself is straightforward to exploit once the malicious file is crafted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.16.02.35 and later

Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0004

Restart Required: Yes

Instructions:

1. Download the latest version from Bentley's official website or update through the application's update mechanism. 2. Install the update following Bentley's installation instructions. 3. Restart the system to ensure all components are properly updated.

🔧 Temporary Workarounds

Restrict DGN file handling

windows

Configure system to open DGN files only with trusted applications or in sandboxed environments

User awareness training

all

Train users to only open DGN files from trusted sources and verify file integrity

🧯 If You Can't Patch

  • Implement application whitelisting to prevent execution of unauthorized code
  • Use network segmentation to isolate MicroStation systems from critical infrastructure

🔍 How to Verify

Check if Vulnerable:

Check MicroStation version via Help > About in the application interface

Check Version:

Not applicable - check through application GUI

Verify Fix Applied:

Verify version is 10.16.02.35 or later in Help > About

📡 Detection & Monitoring

Log Indicators:

  • Application crashes when processing DGN files
  • Unusual process creation from MicroStation executable

Network Indicators:

  • Outbound connections from MicroStation to unexpected destinations
  • File downloads followed by MicroStation process execution

SIEM Query:

Process Creation where Image contains 'ustation.exe' AND ParentImage contains 'explorer.exe' AND CommandLine contains '.dgn'

📊 Metadata

CVE ID: CVE-2022-28644
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: March 29, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28644, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)