CVE-2025-26385

N/A

Description

Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects * Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation, * Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation, * LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1, * System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior, * Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior.

CVE Details

CVSS v3.1 ScoreN/A

Published1/30/2026

Last Modified2/4/2026

Sourcenvd

Honeypot Sightings0

Weaknesses (CWE)

CWE-77

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-04(productsecurity@jci.com)

https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories(productsecurity@jci.com)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.