Key Findings Johnson Controls' Metasys building automation system contains a critical vulnerability (CVE-2025-26385) with a CVSS score of 10. The flaw allows remote SQL injection, potentially enabling attackers to execute commands and take control of building environments. The vulnerability affects multiple Metasys components, including the Application and Data Server (ADS), Extended ADX, and various configuration tools. Successful exploitation could result in data alteration
