Key Findings

• Johnson Controls' Metasys building automation system contains a critical vulnerability (CVE-2025-26385) with a CVSS score of 10.

• The flaw allows remote SQL injection, potentially enabling attackers to execute commands and take control of building environments.

• The vulnerability affects multiple Metasys components, including the Application and Data Server (ADS), Extended ADX, and various configuration tools.

• Successful exploitation could result in data alteration or loss, manipulation of environmental controls, and disruption of building operations.

Background

Johnson Controls is a global leader in smart building technology, with its Metasys system widely used to automate and manage building environments. The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a critical vulnerability in the Metasys system that could have severe consequences for affected organizations.

Vulnerability Details

The vulnerability, tracked as CVE-2025-26385, is a remote SQL injection flaw that allows attackers to execute malicious SQL commands on the affected systems. The vulnerability lies in the way the Metasys software processes data, providing a path for unauthorized actors to inject malicious SQL code.

Potential Impact

If exploited, the vulnerability could allow attackers to seize control of the data that manages physical building environments. This could lead to the alteration or loss of data, manipulation of environmental controls, deletion of historical logs, and disruption of building operations entirely.

Affected Components

The vulnerability is widespread across the Johnson Controls ecosystem, affecting several key components of the Metasys line:

• Application and Data Server (ADS) and Extended ADX (versions ≤ Metasys 14.1)

• LCS8500 and NAE8500 engines (versions ≥ 12.0 and ≤ 14.1)

• System Configuration Tool (SCT) (versions ≤ 17.1)

• Controller Configuration Tool (CCT) (versions ≤ 17.0)

Mitigations and Recommendations

Johnson Controls and CISA are urging administrators to act immediately to address this vulnerability. The primary fix is to download and install the Metasys patch for GIV-165989 from the company's License Portal.

For organizations that cannot patch immediately, the advisory offers a concrete network-level defense: "Closing incoming TCP port 1433 can protect against exploitation of this vulnerability". This port is the standard default for SQL Server traffic, confirming the nature of the attack vector.

Additionally, the advisory stresses the importance of network hygiene. Administrators are advised to follow the "Metasys Release 14 Hardening Guide" to ensure that every "Metasys installation is on a segmented network and not exposed to untrusted networks such as the internet".

Sources

• https://securityonline.info/smart-buildings-at-risk-critical-johnson-controls-flaw-cvss-10-allows-remote-sql-injection/

• https://securityaffairs.com/187496/security/smartertools-patches-critical-smartermail-flaw-allowing-code-execution.html