FKIE_CVE-2025-26385

Vulnerability from fkie_nvd - Published: 2026-01-30 11:15 - Updated: 2026-04-15 00:35
Severity ?
9.5 (Critical) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Summary
Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects  * Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation,  * Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation,  * LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1,  * System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior,  * Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior.
References
productsecurity@jci.comhttps://www.cisa.gov/news-events/ics-advisories/icsa-26-027-04
productsecurity@jci.comhttps://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Johnson Controls Metasys component listed below have  Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects\u00a0\n\n\n\n  *  Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation,\u00a0\n  *  Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation,\u00a0\n  *  LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1,\u00a0\n  *  System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior,\u00a0\n  *  Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior."
    },
    {
      "lang": "es",
      "value": "El componente Metasys de Johnson Controls que se enumera a continuaci\u00f3n tiene una vulnerabilidad de neutralizaci\u00f3n incorrecta de elementos especiales utilizados en un comando (inyecci\u00f3n de comandos). La explotaci\u00f3n exitosa de esta vulnerabilidad podr\u00eda permitir la ejecuci\u00f3n remota de SQL. Este problema afecta a\n\n* Metasys: Servidor de Aplicaciones y Datos (ADS) instalado con SQL Express implementado como parte de la instalaci\u00f3n de Metasys 14.1 y anteriores,\n* Servidor de Aplicaciones y Datos Extendido (ADX) instalado con SQL Express implementado como parte de la instalaci\u00f3n de Metasys 14.1,\n* LCS8500 o NAE8500 instalado con SQL Express implementado como parte de la instalaci\u00f3n de Metasys Versiones 12.0 a 14.1,\n* Herramienta de Configuraci\u00f3n del Sistema (SCT) instalado con SQL Express implementado como parte de la instalaci\u00f3n de SCT 17.1 y anteriores,\n* Herramienta de Configuraci\u00f3n del Controlador (CCT) instalado con SQL Express implementado como parte de la instalaci\u00f3n de CCT 17.0 y anteriores."
    }
  ],
  "id": "CVE-2025-26385",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.5,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "productsecurity@jci.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-30T11:15:53.467",
  "references": [
    {
      "source": "productsecurity@jci.com",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-04"
    },
    {
      "source": "productsecurity@jci.com",
      "url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"
    }
  ],
  "sourceIdentifier": "productsecurity@jci.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-77"
        }
      ],
      "source": "productsecurity@jci.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.