CVE-2025-26385

Jan. 30, 2026, 11:15 a.m.

9.5
Critical

Description

Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects  * Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation,  * Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation,  * LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1,  * System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior,  * Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior.

Product(s) Impacted

Vendor Product Versions
Johnson Controls
  • Metasys Application And Data Server
  • Extended Application And Data Server
  • Lcs8500 Or Nae8500
  • System Configuration Tool
  • Controller Configuration Tool
  • <14.1
  • <14.1
  • 12.0-14.1
  • <17.1
  • <17.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a johnson_controls metasys_application_and_data_server <14.1 / / / / / / /
a johnson_controls extended_application_and_data_server <14.1 / / / / / / /
a johnson_controls lcs8500_or_nae8500 12.0-14.1 / / / / / / /
a johnson_controls system_configuration_tool <17.1 / / / / / / /
a johnson_controls controller_configuration_tool <17.0 / / / / / / /

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-04
https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories

Tags

CWE-77
[email protected]
2026-01-30
CVE-2025-26385

CVSS Score

9.5 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: PRESENT
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: Jan. 30, 2026, 11:15 a.m.
Last Modified: Jan. 30, 2026, 11:15 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.