Smart Buildings at Risk: Critical Johnson Controls Flaw (CVSS 10) Allows Remote SQL Injection

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a maximum-severity vulnerability affecting Johnson Controls, a global leader in smart building technology. The flaw, tracked as CVE-2025-26385, carries a CVSS score of 10, indicating that it is both critical in impact and potentially easy to exploit.

The vulnerability strikes at the core of the Metasys building automation system, specifically affecting the Application and Data Server (ADS) and related configuration tools. If exploited, it could allow attackers to execute SQL commands remotely, potentially seizing control of the data that manages physical building environments.

The vulnerability lies in how the software processes data, allowing unauthorized actors to inject malicious SQL commands. According to the advisory, “Under certain circumstances a successful exploitation of this vulnerability could allow remote SQL execution”.

This is not merely a data leak risk; it is a command-and-control issue. The advisory warns that successful exploitation could result in “alteration or loss of data,” which, in the context of building automation, could mean manipulating environmental controls, deleting historical logs, or disrupting operations entirely.

The vulnerability is widespread across the Johnson Controls ecosystem, affecting several key components of the Metasys line:

• Application and Data Server (ADS) and Extended ADX (versions ≤ Metasys 14.1).
• LCS8500 and NAE8500 engines (versions ≥ 12.0 and ≤ 14.1).
• System Configuration Tool (SCT) (versions ≤ 17.1).
• Controller Configuration Tool (CCT) (versions ≤ 17.0).

Johnson Controls and CISA are urging administrators to act immediately. The primary fix is to download and install the Metasys patch for GIV-165989 from the company’s License Portal.

However, for organizations that cannot patch immediately, the advisory offers a concrete network-level defense: “Closing incoming TCP port 1433 can protect against exploitation of this vulnerability”. This port is the standard default for SQL Server traffic, confirming the nature of the attack vector.

Additionally, the advisory stresses the importance of network hygiene. Administrators are advised to follow the “Metasys Release 14 Hardening Guide” to ensure that every “Metasys installation is on a segmented network and not exposed to untrusted networks such as the internet”.

Related Posts:

• Critical Mattermost Flaw (CVE-2025-4981, CVSS 9.9) Allows RCE Via Path Traversal
• Microsoft says our most popular server product runs on Linux
• Facebook closes some APIs to protect user information