CVE-2021-46606: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2021-46606) was discovered in Bentley MicroStation CONNECT version 10.16.0.80. The vulnerability exists within the parsing of BMP images and requires user interaction, specifically opening a malicious file or visiting a malicious page. The issue was discovered by Mat Powell of Trend Micro Zero Day Initiative and was disclosed on January 31, 2022 (ZDI Advisory, Bentley Advisory).

The vulnerability stems from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. The issue has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is tracked as ZDI-CAN-15400 (ZDI Advisory).

A successful exploitation of this vulnerability allows attackers to execute arbitrary code in the context of the current process. This could potentially lead to complete system compromise at the level of the affected application's privileges (ZDI Advisory).

Bentley has released version 10.16.02 and later versions to address this vulnerability. Users are recommended to update to the latest version of the software. As a general best practice, it is also recommended to only open BMP files from trusted sources (Bentley Advisory).