CVE-2022-28307: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

A vulnerability in Bentley View 10.16.02.022 and prior versions allows remote attackers to execute arbitrary code through maliciously crafted DXF files. The vulnerability (CVE-2022-28307) was discovered by Mat Powell of Trend Micro Zero Day Initiative and disclosed on April 12, 2022. The vulnerability affects Bentley View and MicroStation applications (ZDI Advisory, Bentley Advisory).

The vulnerability exists within the parsing of DXF files, where crafted data can trigger a read past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 HIGH with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The specific flaw is classified as CWE-125 (Out-of-bounds Read) (ZDI Advisory).

An attacker who successfully exploits this vulnerability can execute code in the context of the current process. The vulnerability requires user interaction, as the target must visit a malicious page or open a malicious file (ZDI Advisory).

Bentley has released version 10.16.03.* and more recent versions to address this vulnerability. Users are recommended to update to the latest versions of MicroStation and MicroStation-based applications. As a general best practice, it is also recommended to only open DXF files coming from trusted sources (Bentley Advisory).