CVE-2021-46592: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

CVE-2021-46592 is a vulnerability in Bentley MicroStation CONNECT 10.16.0.80 that allows remote attackers to execute arbitrary code. The vulnerability was discovered by Mat Powell of Trend Micro Zero Day Initiative and disclosed in January 2022. User interaction is required to exploit this vulnerability, as the target must visit a malicious page or open a malicious file (ZDI Advisory, Vendor Advisory).

The vulnerability exists within the parsing of 3DS files. The specific flaw results from the lack of validating the existence of an object prior to performing operations on the object, leading to a use-after-free condition. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is tracked as ZDI-CAN-15386 (ZDI Advisory).

An attacker who successfully exploits this vulnerability can execute arbitrary code in the context of the current process, potentially gaining the same privileges as the logged-in user. This could lead to unauthorized access, data manipulation, or system compromise (ZDI Advisory).

Bentley has released version 10.16.02 and later to address this vulnerability. Users are recommended to update to the latest version of MicroStation and MicroStation-based applications. As a general best practice, it is also recommended to only open 3DS files coming from trusted sources (Vendor Advisory).