CVE-2022-28641: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2022-28641) was discovered in Bentley MicroStation CONNECT version 10.16.02.34 and earlier versions. The vulnerability exists within the parsing of IFC files and results from the lack of validating the existence of an object prior to performing operations on the object. This use-after-free vulnerability requires user interaction, specifically opening a malicious file or visiting a malicious page (Zero Day Initiative, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The specific flaw exists within the parsing of IFC files, where the application fails to validate the existence of an object before performing operations on it, leading to a use-after-free condition. This vulnerability is tracked as ZDI-CAN-16390 (Zero Day Initiative).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process on affected installations of Bentley MicroStation CONNECT. The high CVSS score indicates potential severe impacts on system confidentiality, integrity, and availability (NVD).

Bentley has released version 10.16.03 and more recent versions to address this vulnerability. Users are recommended to update to the latest version of MicroStation and MicroStation-based applications. As a general best practice, it is also recommended to only open IFC files coming from trusted sources (Bentley Advisory).