CVE-2022-28643: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

A vulnerability in Bentley MicroStation CONNECT 10.16.02.34 (CVE-2022-28643) allows remote attackers to execute arbitrary code. The vulnerability requires user interaction, specifically opening a malicious file. The flaw exists within the parsing of DGN files, where crafted data can trigger a write past the end of an allocated buffer (ZDI Advisory, Bentley Advisory).

The vulnerability is an out-of-bounds write issue that occurs during DGN file parsing. When a maliciously crafted DGN file is opened, it can trigger a write operation beyond the bounds of an allocated buffer. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access, low attack complexity, no privileges required, user interaction required, and high impacts on confidentiality, integrity, and availability (ZDI Advisory).

Successful exploitation of this vulnerability allows attackers to execute arbitrary code in the context of the current process. This could potentially lead to complete system compromise at the level of the affected application's privileges (ZDI Advisory).

Bentley has released version 10.16.03.* and more recent versions to address this vulnerability. Users are recommended to update to the latest versions of MicroStation and MicroStation-based applications. Additionally, as a best practice, users should only open DGN files from trusted sources (Bentley Advisory).