GE Bently Nevada 3500/22M Improper Authorization Vulnerability

Plan PatchCVSS 10ICS-CERT ICSA-16-252-01Jun 12, 2016

GE Vernova

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

GE Bently Nevada 3500/22M monitoring units (both USB and serial versions) contain an improper authorization flaw in the authentication mechanism. An attacker can bypass access controls without credentials and modify device configuration, setpoints, or monitoring parameters. All firmware versions are affected and the vendor has not released a patch. The device is used for vibration and condition monitoring on rotating machinery and is typically installed in power generation, petrochemical, and industrial facilities.

What this means

What could happen

An attacker with network access to the Bently Nevada 3500/22M monitoring unit could bypass authentication controls and gain unauthorized access to alter vibration setpoints, disable alarms, or stop equipment monitoring—potentially allowing dangerous machinery to operate undetected.

Who's at risk

Operators of critical rotating machinery monitoring systems should care: this affects vibration monitoring units used in power plants, refineries, compressor stations, and pumping facilities. The GE Bently Nevada 3500/22M is a condition monitoring device that detects bearing wear and equipment faults—loss of integrity could mask equipment failures until catastrophic failure occurs.

How it could be exploited

An attacker sends specially crafted network requests to the device without valid credentials. The device does not properly verify authorization, allowing the attacker to directly access and modify monitoring configurations or operational parameters. This could be exploited over the network if the device is connected to an engineering workstation or control system network.

Prerequisites

Network access to the Bently Nevada 3500/22M on port 502 or standard service ports
No valid credentials required

remotely exploitableno authentication requiredlow complexityno patch availableaffects safety/monitoring systemscritical CVSS score (10.0)

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

GE Bently Nevada 3500/22M (USB version) Firmware: <5.0<5.0No fix (EOL)

GE Bently Nevada 3500/22M (serial version): vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGImplement network segmentation: isolate the Bently Nevada 3500/22M on a dedicated VLAN with firewall rules that restrict access to only authorized engineering workstations and monitoring systems

WORKAROUNDDisable remote network access to the device if not operationally required; use serial-only configuration and air-gap the unit from networked systems

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement a stateful firewall or industrial demilitarized zone (DMZ) between any Bently Nevada units and corporate networks or untrusted networks

HARDENINGMonitor all network traffic to and from the Bently Nevada 3500/22M for unauthorized access attempts or configuration changes

CVEs (1)

CVE-2016-5788

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cfd1b30a-f060-4217-bc5a-3a3015cc150d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.