CVE-2022-29953

The Bently Nevada 3700 series of condition monitoring equipment through 2022-04-29 has a maintenance interface on port 4001/TCP with undocumented, hardcoded credentials. An attacker capable of connecting to this interface can thus trivially take over its functionality.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 31%
VendorProductVersion
bakerhughesbently_nevada_3701\/40_firmware
𝑥
< 4.1
bakerhughesbently_nevada_3701\/44_firmware
𝑥
< 4.1
bakerhughesbently_nevada_3701\/46_firmware
𝑥
< 4.1
bakerhughesbently_nevada_60m100_firmware
-
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.cisa.gov/uscert/ics/advisories/icsa-22-188-02
https://www.forescout.com/blog/
https://www.cisa.gov/uscert/ics/advisories/icsa-22-188-02
https://www.forescout.com/blog/