Metasys product command injection vulnerability could allow remote SQL execution

9.5 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects

* Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation,
* Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation,
* LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1,
* System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior,
* Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior.

Basic Information

ID CVE-2025-26385

Source jci

Published Jan 30, 2026 at 11:05

Affected Product

Vendor Johnson Controls

Product Metasys

Version Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation

Affected Versions Johnson Controls Metasys Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation
Johnson Controls Metasys Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation
Johnson Controls Metasys LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1
Johnson Controls Metasys System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior
Johnson Controls Metasys Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior

CWE Classification

CWE-77

References

{
    "lastseen": "",
    "description": "Johnson Controls Metasys component listed below have  Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects\u00a0\n\n\n\n  *  Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation,\u00a0\n  *  Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation,\u00a0\n  *  LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1,\u00a0\n  *  System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior,\u00a0\n  *  Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior.",
    "published": "2026-01-30T11:05:16.688Z",
    "modified": "2026-01-30T11:05:16.688Z",
    "type": "cve",
    "title": "Metasys product command injection vulnerability could allow remote SQL execution",
    "source": "jci",
    "references": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-04\nhttps://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories",
    "id": "CVE-2025-26385",
    "bulletinFamily": "",
    "cwe": [
        "CWE-77"
    ],
    "cvelist": null,
    "sourceData": "Johnson Controls Metasys Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation\nJohnson Controls Metasys Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation\nJohnson Controls Metasys LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1\nJohnson Controls Metasys System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior\nJohnson Controls Metasys Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior",
    "sourceHref": "",
    "cvss": {
        "score": 9.5,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Metasys",
    "version": "Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation",
    "vendor": "Johnson Controls",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Metasys product command injection vulnerability could allow remote SQL execution_CVE-2025-26385