cbcvebase.
CVE-2025-26385
published 2026-01-30

CVE-2025-26385: Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability…

PriorityP264critical9.5CVSS 4.0
AVNACLATPPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
1.44%
69.9th percentile
Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects


* Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation,
* Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation,
* LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1,
* System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior,
* Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior.

Affected

5 ranges
VendorProductVersion rangeFixed in
johnson_controlsmetasys
johnson_controlsmetasys
johnson_controlsmetasys
johnson_controlsmetasys
johnson_controlsmetasys

Detection & IOCsextracted from sources · hover to see the quote

port1433
  • CVE-2025-26385 is a command injection (CWE-77) vulnerability enabling remote SQL execution against Johnson Controls Metasys components that have SQL Express installed. Network-level detection should focus on unsolicited or anomalous inbound connections to TCP/1433 from untrusted/internet-facing sources targeting Metasys ADS, ADX, LCS8500, NAE8500, SCT, or CCT hosts.
  • Exploitation results in remote SQL execution leading to alteration or loss of data; monitor SQL Express logs on affected Metasys hosts for unexpected DDL/DML commands or privilege escalation activity originating from non-local addresses.
  • ·Vulnerability only applies when SQL Express is co-deployed as part of the Metasys/SCT/CCT installation; standalone or externally-hosted SQL Server configurations may not be affected in the same way.
  • ·CVSS 3.1 score is 10.0 (Critical) with network vector, no authentication, and no user interaction required (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), meaning the attack surface is fully remote and unauthenticated.
  • ·Patch (GIV-165989) is available via the Johnson Controls License Portal and requires login credentials to download; ensure patch applicability is verified per the Metasys Release 14 Hardening Guide.
  • ·No known public exploitation has been reported at time of advisory publication; threat intelligence should be monitored for changes in exploitation status.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.