Command Injection Vulnerability in Johnson Controls Metasys and Related Tools
CVE-2025-26385

9.5CRITICAL

Key Information:

Vendor

Johnson Controls

Status
Metasys
Vendor
CVE Published:
30 January 2026

What is CVE-2025-26385?

A command injection vulnerability has been identified in several Johnson Controls Metasys components. This flaw allows an attacker to manipulate commands by exploiting improper neutralization of special elements. If successfully executed, this vulnerability could lead to unauthorized remote SQL execution, thereby compromising the integrity and security of the affected systems. Key products affected include the Metasys Application and Data Server, Extended Application and Data Server, and various tools integrated with SQL Express, as detailed in the advisory.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Metasys Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation

Metasys Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation

Metasys LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-0...
https://www.johnsoncontrols.com/trust-center/cybersecurit...

CVSS V4

Score:
9.5
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.