OTPulse
FeedAboutContact

Johnson Controls Metasys

Plan Patch8.4ICS-CERT ICSA-22-095-02Apr 5, 2022
Attack VectorNetwork
Auth RequiredLow
ComplexityHigh
User InteractionNone needed
Summary

A code injection vulnerability exists in the Johnson Controls Metasys MUI (Management User Interface) PDF export feature. An authenticated user can inject malicious code that executes with server privileges. The vulnerability affects Metasys ADS/ADX/OAS versions 10 and 11.

What this means
What could happen
An authenticated attacker could inject malicious code through the Metasys building management system's PDF export feature, potentially allowing them to execute commands on the management server or gain unauthorized access to building automation data.
Who's at risk
Building automation and facility management staff who operate Johnson Controls Metasys building management systems (ADS, ADX, OAS) for HVAC, lighting, and other facility controls. Impacts organizations running Metasys Versions 10 or 11 that rely on this system for managing critical facility operations.
How it could be exploited
An attacker with valid Metasys credentials logs into the ADS/ADX/OAS server and uses the MUI (Management User Interface) PDF export functionality to inject malicious code. The injected code executes with the privileges of the Metasys server process, potentially compromising the entire building automation network.
Prerequisites
  • Valid Metasys user credentials (any authenticated user)
  • Network access to the Metasys ADS/ADX/OAS management server on the management port
  • Access to the Metasys MUI PDF export feature
Requires valid credentials to exploit (insider risk)Low attack complexityNetwork-accessible management interfaceAffects centralized building automation serverNo known public exploit available
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
Metasys ADS/ADX/OAS:10 | 11No fix yet
Remediation & Mitigation
0/5
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Metasys ADS/ADX/OAS Version 10 systems to patch 10.1.5 or later
HOTFIXUpdate Metasys ADS/ADX/OAS Version 11 systems to patch 11.0.2 or later
HARDENINGReview user access controls and ensure only authorized staff have Metasys administrative credentials
Long-term hardening
0/2
HARDENINGRestrict network access to Metasys ADS/ADX/OAS servers to authorized personnel only; place the management server behind a firewall and isolate from the business network
HARDENINGRequire VPN access for any remote connections to Metasys management consoles and keep VPN software updated
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/3fd887ba-2ba3-407b-9fdb-adcac72e6e1a