Johnson Controls Metasys SCT Pro

Monitor5.3ICS-CERT ICSA-22-111-02Apr 21, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

This vulnerability allows a remote unauthenticated attacker to enumerate internal systems and file paths by sending specially crafted requests to Metasys SCT or SCT Pro. The tool responds differently when queried for paths that exist versus those that don't, enabling an attacker to map your building automation infrastructure for reconnaissance purposes.

What this means

What could happen

An attacker could probe your Metasys configuration tool to discover which internal systems and file paths exist on your network, enabling reconnaissance for follow-up attacks. This is passive reconnaissance—the attacker gains information about your environment without triggering obvious alarms.

Who's at risk

Building automation system administrators and operators responsible for Metasys-based HVAC, lighting, and facility controls should prioritize this. Any organization using SCT or SCT Pro for configuration and management of Johnson Controls building automation equipment is affected.

How it could be exploited

An attacker sends specially crafted requests to the SCT or SCT Pro tool from the network. The tool responds differently when a file or system path exists versus when it doesn't, allowing the attacker to enumerate internal systems and their locations. No authentication is required—the attacker can probe the tool directly to map your building automation infrastructure.

Prerequisites

Network access to the Metasys SCT or SCT Pro tool
Tool exposed to an attacker's network segment (direct reachability required)
No authentication credentials needed

Remotely exploitableNo authentication requiredLow complexity attackNo patch available for older versions

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Metasys System Configuration Tool (SCT): All< 14.2.214.2.2

Metasys System Configuration Tool Pro (SCT Pro): All< 14.2.214.2.2

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIsolate the Metasys configuration tool network from the business network using a firewall

HARDENINGRestrict network access to the configuration tool—allow only engineering workstations and management systems that require it

HARDENINGEnsure the configuration tool is not directly reachable from the Internet

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Metasys System Configuration Tool (SCT): All

HOTFIXUpdate Metasys System Configuration Tool (SCT) to version 14.2.2 or later

HOTFIXUpdate Metasys System Configuration Tool Pro (SCT Pro) to version 14.2.2 or later

CVEs (1)

CVE-2021-36203

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6e191ff2-dcbe-4edf-bf7c-6ea0e044b4ba