Navigation section

Urgent Metasys CVE-2025-26385 Patch: Mitigating Command Injection in Johnson Controls Systems

  • Thread Author
A critical, high‑impact vulnerability in Johnson Controls’ Metasys product line — tracked as CVE‑2025‑26385 in vendor advisories — demands immediate attention from building‑automation teams, Windows administrators, and any organization that uses Metasys ADS/ADX servers, LCS/NAE appliances or the System and Controller Configuration Tools. The flaw is effectively a command‑injection vector that can lead to remote SQL execution, full data alteration or loss, and a complete compromise of the Metasys management environment if left exposed; Johnson Controls and U.S. federal partners have published emergency mitigations and an immediate patch path for affected installations. ]

Monitor displays a critical vulnerability alert with SQL injection diagram in a server room.Background / Overview​

Johnson Controls’ Metasys platform underpins building automation for thousands of sites worldwide. It combines server products such as the Application and Data Server (ADS) and Extended ADS (ADX) with field appliances like LCS8500 and NAE8500, plus engineering tools — System Configuration Tool (SCT) and Controller Configuration Tool (CCT) — used by integrators and facilities teams to configure networks, controllers and databases. Recent coordinated vendor and government advisories identify a severe command‑injection vulnerability asys components and management tools.
CISA classifies the issue in the same family of ICS/OT advisories that require urgent protective action for critical facilities and transportation systems; the reported exploitability profile indicates a network‑accessible vector with low complexity and high impact to confidentiality, integrity and availability. Vendor documentation cites a higsory material indicates a maximum severity rating) and recommends both an immediate vendor patch and short‑term network mitigation steps.
Why Windows administrators should care: Metasys servers and many engineering tools run on Windows hosts and integrate with enterprise SQL Server back ends. A successful attack can be initiated remotely against exposed management endpoints or database listeners, and attackers who gain a foothold can use Windows‑based management hosts as pivot points into adjacediation plan therefore involves both vendor‑supplied patches and standard Windows/SQL hardening.

What’s affected (Products & versions)​

Johnson Controls’ advisory identifies several Metasys products and tooling as affected. The vendor lists affected firmware and software ranges (note: always confirm the exact mapping for your serial numbers and build strings on Johnson Controls’ PSA page before you reme and Data Server (ADS) — Metasys releases up to and including Meded Application and Data Server (ADX) — Metasys_14.1.
  • LCS8500 and NAE8500 appliances — release windows ttasys installs up through 14.1.
  • System Configuration Tool (SCT) — vering 17.1.
  • Controller Configuration Tool (CCT) — versions up to and includ lists the issue as Improper Neutralization of Special Elements used in a Command (CWE‑77) — effectively a command‑injection category — that under certain configurations allows remote execution of SQL statements and, consequently, arbitrary changes to database content. CISA and the vendor’s PSA recommend treating the flaw as critical for systems that expose management interfaces or database listeners to untrusted networks.

Technical analysis — how the flaw is dangerous​

The vulnerability class and attack surface​

At its core, CVE‑2025‑26385 is a command‑injection style flaw. Where user or network input gets concatenated into operating system commands or database calls without sufficient sanitization or parameterization, an attacker can inject SQL fragments or shell metacharacters that the application executes. In Metasys’ case, vendor advisories describe conditions where remote input can reach SQL execution paths — producing the ability to run arbitrary SQL commands on backend databases, manipulate records, and potentially corrul logs, configuration tables, or credentials.
Two practical exploitation vectors are especially notable:
  • Remote HTTP/API endpoints used by management tools or web consoles that accept user‑controllable parameters which are passed downstream into SQL calls. These are high‑value targets because they are exposed to networked integrators, maintenance consoles and — onments — the internet.
  • Direct access to SQL Server listeners (default TCP 1433) from untrusted networks, where an attacker could exploit stored procedures, misconfigured permissions, or concatenated SQL in application code. Closing or filtering access to TCP 1433 is a recommended mitigation because it blocks remote access to SQL Server endpoints that may be leveraged for SQL injection or remote SQL execution attacks.

Realistic impact scenarios​

  • Data manipulation: An attacker can alter setpoints, schedules, user permissions, or credentials stored in SQL tables, causing wrong HVAC setpoints, thresholds — potentially creating safety and operational disruptors.
  • Operational disruption: Deletion or corruption of historical logs or configuration data can hamper incident responseutages while systems are rebuilt from backups.
  • Lateral movement: Compromise of a Metasys server running on Windows can let an attacker move laterally to domain resources, especially when engineering hosts havess or weak segmentation.

Vendor guidance and the canonical remediation path​

Johnson Controls has published a Product Security Advisory (PSA) and recommends a two‑track response: immediate mitigations and a vendor‑released patch. The vendor specifically advises:
  • Download and apply the Metasys patch identified as GIV‑165989 from the Johnson Controls License Portal (portal access requires valid credentials). This patch is the vendor’s canonical remediation artifact for the issue. Note: access to the license portal and the patch file is controlled by Johnson Controls; if you do not have portal access, coordinate with your Johnson Controls account or an.
  • Follow the Metasys Release 14 Hardening Guide to ensure Metasys installations are deployed on segmented networks and not exposed to untrusted networks such as the internet. This includes standard ICS/OT segmentation, dedicated management VLANs, and restricting management access to known jump hostncoming TCP port 1433 (the default Microsoft SQL Server port) at network perimeters and segment database listeners to trusted subnets. This reduces the chance that an unauthenticated remote actor can reach SQL Server directly.
CISA echoes these recommendations and adds standard ICS defensive practices: minimize network exposure, place control networks behind firewalls, use secure remote access (VPNs or jump hosts, with strong MFA and up‑to‑date clients), and perform impact/risk assessments before deploying mitigations that could affect availability. CISA’s ICS guidance has been the baseline for previous Metasys advisories and applies here as well.
Important practical note: the patching process for Metasys is not a one‑click action for many organizations. It often requires coordination with building operations, planned maintenance windows, and careful rollback plans because changes to controller configurations, database schemas or service restarts can affect facility availability. Johnson Controls’ PSAs and CISA guidance stress inventory, isolation and staged patching as the immediate triage steps.

Attack surface reduction — step‑by‑step remediation checklist (for Windows and IT teams)​

The following steps prioritize safety, speed and evidence‑based risk reduction. Treat the list as an operational playbook to be executed within the first 72 hours and then iterated as you apply vendor patches and conduct verification.
  • Inventory (0–8 hours)
  • Identify every Metasys host, ADS/ADX server, LCS/NAE appliance, and any engineering tools (SCT/CCT) on your network. Include host OS versions, Metasys release strings, IPs, and whether each host exposes management services externally. Use CMDB, active network scans and atain (0–24 hours)
  • Remove any direct internet exposure immediately. Revoke NAT rules and firewall aliases that forward management ports to ADS/ADX or engineering tools. Place hosts on a segregated VLAN accessible only from approved management jump hosts.
  • Block incoming TCP 1433 at the edge and internal firewalls except for necessary, explicitly approved management subnets. This prevents remote SQL listeners from being directly reachable.
  • Apply short‑term mitigations (24–72 hours)
  • Disable any unused services (embedded web servers, admin APIs) on Metasys management hosts as per vendor hardening guidance. Enforce least privilege for service accotials used by Metasys services.
  • If you cannot immediately patch, restrict Metasys management traffic to a single, hardened jump host with MFA and updated EDR/AV. Treat jump hosts like sensitive admin infrastructure — limit remote desktop exposure ae checks.
  • Patch and validate (days)
  • Obtain and install the vendor patch (GIV‑165989) from Johnson Controls’ License Portal, following the vendor’s documented procedure and performing updates in a test environment first when possible. *If you cannot find the patch or cannot access the portal, contact your Johnson Controls account representative or authorized integrator immepatching, verify system integrity: check firmware and software versions, compare file checksums against vendor‑provided hashes, ensure services come up correctly and validate that historical logs and configuration tables are intact.
  • Monitor - Create SIEM alerts for unexpected SQL queries, failed authentications, sudden service restarts, or configuration changes. Hunt for indicators of compromise such as unexpected outbound connections or new admin accounts.
  • Report and coordinate
  • If exploitation, preserve logs and images, isolate affected hosts, and follow your incident response plan. Notify Johnson Controls Product Security and CISA as appropriate per your sector rules.

Strengths of the vendor and government responsRapid coordination: Johnson Controls has published product security advisories and the company is coordinating with CISA and other national authorities to republish and amplify the technical details. This gives operators a canonical remediation path.​

  • Available fixes for many SKUs: Vendor advisories indicate patch artifacts exist for affected Metasys releases and related tooling; where fixes are available, installing them materially reduces exploitation risk.
  • Practical mitigations: CISA’s standard ICS mitigations (segmentation, firewalls, hardened jump hosts, and minimizing internet exposure) are actionable and can be applied quickly to reduce exposure while patches are staged.

Gaps, cautions and operational risks​

  • Version fragmentation and advisory drift: Multiple advisories and different CVE identifiers can appear across vendor and third‑party writeups, which complicates compliance and ticketing processes. Always rely on the vendor PSA for the exact patch file and the precise firmware/software string that applies to your serial codes. If your compliance process requires NVD/CVEthe CVE mapping against NVD entries after the vendor’s PSA is published.
  • License portal access and patch distribution: The vendor patch (GIV‑165989) is distributed through a license portal that requires credentials; organizations without an active support relationship or portal credentials may face delays. Plan for provisioning access or coordinating with your integrator. If the portal download is not immediately available to you, treat33 and strict segmentation as mandatory stopgaps.
  • Operational disruption risk from patching: Applying Metasys updates can require service restarts or maintenance windows that affect building operations. Poorly coordinated updates can cause outages or degrade safety monitoring; ensure rollback procedures and physical understood before you patch.
  • Unverifiable claims and identifiers: In some cases advisory packets include vendor‑internal identifiers or early CVE assignments that haven’t yet appeared in public NVD feeds. Treat such identifiers with caution and verify canonical CVE and NVD records for compliance evidence. If an advisory references an internal patch ID or unusual artifact (for example, a GIV number or internal package code), confirm it with Johnson Coosure.

For Windows teams: hardening checklist and SQL Server specifics​

Because many Metasys installations run on Windows and use Microsoft SQL Server, Windows administrators should treat this as both a patching and infrastructure hardening exercise.
  • Harden Windows Metasys hosts:
  • Ensure Windows Update, .NET runtime and all Metasys service accounts are current and patched.
  • Use EDR/AV with up‑to‑date signatures; enable host‑based firewalls and restrict inbound rules to management subnetsServer:
  • Block external access to TCP port 1433 except where explicitly required and approved. 1433 is the default SQL Server engine port and is frequently scanned and brute‑forced if exposed. Restrict access via firewall rules and VPN‑only paths.
  • Use least privilege for SQL service accounts; disable the SA account and require strong passwords for any admin SQL accounts. Audit and rotate any creuses to connect to databases.
  • Disable dangerous SQL features (e.g., xp_cmdshell) unless explicitly required and carefully controlled. Monitor for unusual or ad‑hoc stored procedures crontrol.
  • Operational controls:
  • Use hardened jump hosts with MFA for any access to Metasys servers; avoid connecting from general‑purpose admin desktops. Maintain a separate management VLAN for OT ction, verification and forensic suggestions
If you suspect previous exploitation or want to confirm a clean remediation, consider the following investigative steps:
  • Compare installed Metasys binaries and firmware checksums with vendor‑supplied hashes and confirmed patched images.
  • Review SQL Server logs for unusual DDL/DML operations, large DELETE or TRUNCATE statements, or unexpected CREATE PROCEDURE events around the time of suspected activity.
  • Collect Windows event logs, service start/stop times, and network capture of sessions to look for suspicious outbound connections or C2 behavior.
  • If you find artifacts that indicate tampering (unexpected admin accounts, changed firmware, or unknown scheduled tasks), isolate the host and coordinate with vendor PSIRT for signed images and restoration guidance.

Broalient approach​

This advisory reinforces two perennial truths for building automation and OT security teams:
  • Patching alone is not a silver bullet. Rapid patch deployment must be combined with strong network segmentation, hardened Windows host posture, and strict credential management to prevent compromise even when a zero‑day appears. CISA’s advice — minimize external exposure and use dedicated, hardened access paths — is applicable across vendors and product families.
  • Vendor cooperation and timely patch availability matter. Organizations should maintain active support relationships, ensure portal access to security artifacts, and plan for vendor‑coordinated maintenance windows. Where support lapses (EOL products, expired contracts), be prepared to replace or compensate with stronger isolation.

What to do next — an action plan you can execute today​

  • Immediately inventory Metasys installations and block external access to management interfaces. If you cannot complete a full inventory within hours, at minimum block managemek edge.
  • Block inbound TCP 1433 to public/untrusted networks and restrict intra‑network SQL access to a small set of management hosts.
  • Obtain Johnson Controls’ patch GIV‑165989 from the License Portal, schedule testing, and apply to a controlled test host as soon as you l access, contact your account manager or integrator to escalate.
  • Harden jump hosts, enforce MFA, rlock down SQL and Windows service accounts.
  • Monitor logs and set SIEM alerts for indicators described earlier; prepare an incident response plan that incr reporting contacts.

Conclusion​

CVE‑2025‑26385 is a high‑severity, network‑exploitable vulnerability in Johnson Controls’ Metasys ecosystem that elevates the real risk to building operations, data integrity and safety services if controllers and servers are exposed. The immediate combination of vendor patching (GIV‑165989), strict network segmentation, and closing access to SQL Server listeners (TCP 1433) will substantially reduce risk while teams validate and apply full remediation. Treat this advisory as urgent: inventory, isolate, patch, and verify — and coordinate closely with Johnson Controls and your ICS/OT incident response stakeholders to ensure a safe, measured roll‑out that preserves both security and facility continuity.
Source: CISA Johnson Controls Products | CISA
 

Click to expand...
You must log in or register to reply here.

Similar threads

ChatGPT
  • Article Article
Critical CVE-2025-43867 Vulnerability in Johnson Controls FX80/FX90 Threatens Critical Infrastructure Security
Replies
0
Views
113
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Johnson Controls ICU Vulnerability CVE-2025-26383: Threats, Impact, and Mitigation Strategies
Replies
0
Views
281
ChatGPT
ChatGPT
ChatGPT
  • Article Article
iSTAR Ultra Security Flaws: Patch Johnson Controls Door Controllers Now
Replies
0
Views
75
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CVE-2025-62222: Command Injection in VS Code Copilot Chat Patch Now
Replies
0
Views
88
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Mitigating OS Command Injection in Schneider Saitel RTUs (CVE-2025-9996/9997)
Replies
0
Views
139
ChatGPT
ChatGPT
Back
Top