Bently Nevada ADAPT 3701/4X Series and 60M100

Act Now9.1ICS-CERT ICSA-22-188-02Jul 7, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Bently Nevada 3701/40, 3701/44, and 3701/46 machinery protection monitors contain hardcoded credentials in firmware and an unauthenticated diagnostics port. Bently Nevada 60M100 (3701/60) has a similar issue with Ethernet Port B enabling access to port 4001/TCP for diagnostics purposes. Both product lines are vulnerable to file manipulation, remote code execution, and denial-of-service attacks via these hardcoded credentials and unauthenticated ports. The 3701/4x series can be patched to Version 4.1.1712.0601 or higher, which disables the diagnostics port and removes hardcoded credentials. The 60M100 is approaching end-of-life with no patch planned; users should avoid connecting Port B during normal operation and plan migration to replacement equipment.

What this means

What could happen

An attacker with network access to the diagnostics port could execute arbitrary code on the machinery protection monitor, manipulate vibration data, or halt monitoring operations entirely, leaving rotating equipment unprotected.

Who's at risk

Water utilities and power plants that rely on Bently Nevada 3701/40, 3701/44, 3701/46, or 60M100 machinery protection monitors for rotating equipment supervision (pumps, motors, turbines, compressors). These devices are critical for early detection of bearing wear, misalignment, and other mechanical failures that could lead to unplanned outages.

How it could be exploited

An attacker on the network sends commands to the diagnostics port (4001/TCP on 60M100) or accesses the 3701/4x series through default hardcoded credentials embedded in the firmware. No authentication is required. The attacker can then run arbitrary commands on the device or manipulate its configuration and monitoring behavior.

Prerequisites

Network access to port 4001/TCP (60M100) or port used by 3701/4x diagnostics port
No credentials required; exploits hardcoded credentials in firmware or unauthenticated diagnostics interface
Device must be reachable from the attacker's network position

Remotely exploitableNo authentication requiredHardcoded credentials in firmwareDefault diagnostics port enabledNo patch available for 60M100Affects equipment monitoring systemsHigh CVSS (9.1)

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (4)

3 with fix1 EOL

ProductAffected VersionsFix Status

Bently Nevada 3701/40: All< 4.14.1.1712.0601

Bently Nevada 3701/44: All< 4.14.1.1712.0601

Bently Nevada 60M100 (3701/60): All versionsAll versionsNo fix (EOL)

Bently Nevada 3701/46: All< 4.14.1.1712.0601

Remediation & Mitigation

0/4

Do now

0/3

WORKAROUNDFor Bently Nevada 60M100, isolate Ethernet Port B from normal operation and do not connect during routine monitoring; plan migration to replacement hardware

HARDENINGPlace all Bently Nevada machinery protection monitors on a dedicated, firewalled network segment isolated from business networks and the Internet

HARDENINGRestrict network access to the diagnostics ports to authorized engineering and maintenance personnel only; use firewall rules to block external access

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Bently Nevada 3701/40, 3701/44, and 3701/46 to Version 4.1.1712.0601 or higher

CVEs (2)

CVE-2022-29953 CVE-2022-29952

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cbd5e9ca-10a7-4738-b4be-4ebbe96ecc2b