Johnson Controls Metasys

Plan PatchCVSS 8.8ICS-CERT ICSA-21-159-01Jun 8, 2021

Johnson Controls

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in Johnson Controls Metasys allows authenticated users to bypass file system access controls by sending specially crafted web messages. An attacker with valid Metasys credentials can read or modify system files that should be restricted, potentially affecting building automation functions. The vulnerability affects all versions of Metasys. Johnson Controls recommends users upgrade to version 9.0 or later, and users on versions 9.0 (engine), 10.0, 10.1, or 11.0 should install the available security patch. No public exploits are currently known.

What this means

What could happen

An authenticated Metasys user could gain unauthorized access to the underlying server's file system, allowing them to read or modify system files that control building automation functions and potentially disrupt HVAC, lighting, or security operations.

Who's at risk

Building automation operators and facility managers who rely on Johnson Controls Metasys for managing HVAC, lighting, fire safety, or security systems. This affects all versions of Metasys, with particular concern for organizations running versions before 9.0 or any currently supported version that has not yet received the security patch.

How it could be exploited

An attacker with valid Metasys credentials sends a specially crafted web message to the Metasys server that exploits improper access controls. The server processes the request and allows the attacker to traverse the file system beyond their intended permissions, accessing sensitive system files that should be restricted.

Prerequisites

Valid Metasys user account credentials
Network access to the Metasys web interface (typically port 80/443)
Knowledge of crafted message format to trigger the vulnerability

Requires valid credentials (low barrier for insiders or compromised accounts)Remotely exploitableLow attack complexityNo patch available for all versions (all versions listed as no fix)Affects facility automation and safety systemsCan lead to unauthorized file modification

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (1)

ProductAffected VersionsFix Status

Metasys: All versionsAll versions9.0+ (with patch for versions 9.0 engine, 10.0, 10.1, 11.0)

Remediation & Mitigation

0/8

Do now

0/3

HARDENINGAudit all active and dormant user accounts and remove any that are no longer needed or whose users have left the organization

HARDENINGDelete user accounts for employees who have left or been reassigned and no longer require Metasys access

HARDENINGEnable and regularly monitor Metasys audit logs and Cyber Health Dashboard (Release 10.1 or later) for suspicious user activity

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXFor Metasys versions earlier than 9.0, upgrade to a supported release (9.0 or later)

HOTFIXFor Metasys version 9.0 (engine), 10.0, 10.1, or 11.0, install the security patch from Johnson Controls

Long-term hardening

0/3

HARDENINGEnforce mandatory password changes across all Metasys user accounts on a regular schedule

HARDENINGRestrict network access to the Metasys server from the business network and Internet; place behind a firewall

HARDENINGIf remote access is required, use a VPN and keep it updated to the latest version

CVEs (1)

CVE-2021-27657

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6d27e556-1545-4767-b089-8ec2bbf762d8

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.