CVE-2025-26385
published 2026-01-30CVE-2025-26385: Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability…
PriorityP264critical9.5CVSS 4.0
AVNACLATPPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
1.44%
69.9th percentile
Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects * Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation, * Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation, * LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1, * System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior, * Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| johnson_controls | metasys | — | — |
| johnson_controls | metasys | — | — |
| johnson_controls | metasys | — | — |
| johnson_controls | metasys | — | — |
| johnson_controls | metasys | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-26385 is a command injection (CWE-77) vulnerability enabling remote SQL execution against Johnson Controls Metasys components that have SQL Express installed. Network-level detection should focus on unsolicited or anomalous inbound connections to TCP/1433 from untrusted/internet-facing sources targeting Metasys ADS, ADX, LCS8500, NAE8500, SCT, or CCT hosts. ↗
- →Exploitation results in remote SQL execution leading to alteration or loss of data; monitor SQL Express logs on affected Metasys hosts for unexpected DDL/DML commands or privilege escalation activity originating from non-local addresses. ↗
- ·Vulnerability only applies when SQL Express is co-deployed as part of the Metasys/SCT/CCT installation; standalone or externally-hosted SQL Server configurations may not be affected in the same way. ↗
- ·CVSS 3.1 score is 10.0 (Critical) with network vector, no authentication, and no user interaction required (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), meaning the attack surface is fully remote and unauthenticated. ↗
- ·Patch (GIV-165989) is available via the Johnson Controls License Portal and requires login credentials to download; ensure patch applicability is verified per the Metasys Release 14 Hardening Guide. ↗
- ·No known public exploitation has been reported at time of advisory publication; threat intelligence should be monitored for changes in exploitation status. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Johnson Controls Metasys Products
cisa_ics·2026-01-27·CVSS 9.5
[CRITICAL] Johnson Controls Metasys Products
ICS Advisory
##
Johnson Controls Metasys Products
Release DateJanuary 27, 2026
Alert CodeICSA-26-027-04
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of this vulnerability could result in remote SQL execution, leading to alteration or loss of data.
The following versions of Johnson Controls Metasys Products are affected:
- Metasys Application and Data Server (ADS) (CVE-2025-26385)
- Metasys Extended Application and Data Server (ADX) (CVE-2025-26385)
- Metasys LCS8500 (CVE-2025-26385)
- Metasys NAE8500 (CVE-2025-26385)
- Metasys System Configuration Tool (SCT) (CVE-2025-26385)
- Metasys Controller Configuration Tool (CCT) (CVE-2025-26385)
CVSS
Vendor
Equipment
Vulnerab
GHSA
GHSA-r8f6-f62h-4px7: Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability
ghsa_unreviewed·2026-01-30
CVE-2025-26385 [CRITICAL] CWE-77 GHSA-r8f6-f62h-4px7: Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability
Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects
* Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation,
* Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation,
* LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1,
* System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior,
* Controller Configuration Tool (CCT) installed with S
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-01-30
Published