CVE-2022-29953

EUVD-2022-34260
The Bently Nevada 3700 series of condition monitoring equipment through 2022-04-29 has a maintenance interface on port 4001/TCP with undocumented, hardcoded credentials. An attacker capable of connecting to this interface can thus trivially take over its functionality.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 60%
Affected Products (NVD)
VendorProductVersion
bakerhughesbently_nevada_3701\/40_firmware
𝑥
< 4.1
bakerhughesbently_nevada_3701\/44_firmware
𝑥
< 4.1
bakerhughesbently_nevada_3701\/46_firmware
𝑥
< 4.1
bakerhughesbently_nevada_60m100_firmware
-
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.cisa.gov/uscert/ics/advisories/icsa-22-188-02
https://www.forescout.com/blog/
https://www.cisa.gov/uscert/ics/advisories/icsa-22-188-02
https://www.forescout.com/blog/