CVE DATABASE / CVE-2022-29952

CVE-2022-29952

CVSS 9.1 · CRITICAL

Summary

Bently Nevada condition monitoring equipment through 2022-04-29 mishandles authentication. It utilizes the TDI command and data protocols (60005/TCP, 60007/TCP) for communications between the monitoring controller and System 1 and/or Bently Nevada Monitor Configuration (BNMC) software. These protocols provide configuration management and historical data related functionality. Neither protocol has any authentication features, allowing any attacker capable of communicating with the ports in question to invoke (a subset of) desired functionality.

CVSS 3.1 breakdown

Base score	9.1 (CRITICAL)
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack vector	NETWORK
Attack complexity	LOW
Privileges required	NONE
User interaction	NONE
Scope	UNCHANGED
Confidentiality	NONE
Integrity	HIGH
Availability	HIGH

Weakness type (CWE)

CWE-306

Affected products

Bakerhughes bently nevada 3701\/40 firmwareBakerhughes bently nevada 3701\/40Bakerhughes bently nevada 3701\/44 firmwareBakerhughes bently nevada 3701\/44Bakerhughes bently nevada 3701\/46 firmwareBakerhughes bently nevada 3701\/46Bakerhughes bently nevada 60m100 firmwareBakerhughes bently nevada 60m100

Check this CVE live

Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.

References

Data: NIST NVD. NVD last modified 2024-11-21. Always verify against the vendor advisory before acting.