Key Vulnerability Information Advisory ID: ZDI-22-177, ZDI-CAN-15384 CVE ID: CVE-2021-46590 CVSS Score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Affected Vendor: Bentley Affected Product: MicroStation CONNECT Vulnerability Details: - The vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT. - The flaw exists within the parsing of JT files. Crafted data in a JT file can trigger a read past the end of an allocated buffer. - User interaction is required to exploit this vulnerability. Additional Details: - Bentley has issued an update to correct this vulnerability. More details can be found at: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005 Disclosure Timeline: - 2021-10-01: Vulnerability reported to vendor - 2022-01-31: Coordinated public release of advisory Credit: Mat Powell of Trend Micro Zero Day Initiative