PT-2026-5389 · Johnson Controls · Metasys Extended Application/Data Server+4
Published
2026-01-30
·
Updated
2026-02-02
·
CVE-2025-26385
CVSS v4.0
9.5
Critical
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
Name of the Vulnerable Software and Affected Versions
Johnson Controls Metasys versions 12.0 through 14.1
Johnson Controls Metasys Application and Data Server (ADS) versions 14.1 and prior
Johnson Controls Metasys Extended Application and Data Server (ADX) version 14.1
Johnson Controls Metasys System Configuration Tool (SCT) version 17.1 and prior
Johnson Controls Metasys Controller Configuration Tool (CCT) version 17.0 and prior
Description
The software contains an Improper Neutralization of Special Elements used in a Command (Command Injection) issue. Successful exploitation of this issue could allow remote SQL execution. The vulnerability exists in Johnson Controls Metasys components.
Recommendations
Update Johnson Controls Metasys to a version later than 14.1.
Update Johnson Controls Metasys Application and Data Server (ADS) to a version later than 14.1.
Update Johnson Controls Metasys Extended Application and Data Server (ADX) to a version later than 14.1.
Update Johnson Controls Metasys System Configuration Tool (SCT) to a version later than 17.1.
Update Johnson Controls Metasys Controller Configuration Tool (CCT) to a version later than 17.0.
Fix
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Metasys
Metasys Application/Data Server
Metasys Controller Configuration Tool
Metasys Extended Application/Data Server
Metasys System Configuration Tool