Johnson Controls Metasys

Plan Patch8.8ICS-CERT ICSA-22-118-01Apr 28, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A privilege escalation vulnerability in Johnson Controls Metasys ADS/ADX/OAS Servers (versions 10 and 11) allows an authenticated user to elevate their privileges to administrator level. The vulnerability affects building automation system servers and requires valid user credentials to exploit. Johnson Controls has released patches addressing this issue.

What this means

What could happen

An attacker with valid Metasys user credentials could gain administrator access to the building automation system, allowing them to modify HVAC setpoints, disable alarms, or disrupt operations affecting occupant comfort and safety.

Who's at risk

This affects any organization using Johnson Controls Metasys building automation systems, including water utilities, municipal electric utilities, hospitals, data centers, and commercial/industrial facilities that rely on Metasys for HVAC, lighting, and energy management. Risk is highest for systems where non-administrative staff have user accounts.

How it could be exploited

An attacker with a standard user account on the Metasys server can exploit a privilege escalation flaw to gain administrator rights. Once elevated, the attacker can modify building automation settings, disable safety features, or shut down HVAC systems controlling the facility. The attacker must already have a valid user credential to access the Metasys interface (network or direct access to the server).

Prerequisites

Valid Metasys user account (standard user credentials)
Network access to the Metasys ADS/ADX/OAS Server (port typically 80/443 for web interface or direct server access)

Remotely exploitable (via network access)Authentication required but uses standard user credentialsLow complexity attackAffects building automation and safety controlsPrivilege escalation to admin level

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

All Metasys ADS/ADX/OAS Servers:10 | 11No fix yet

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGEnforce least-privilege access: disable or remove unnecessary user accounts, and grant users only the minimum permissions required for their role

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Metasys ADS/ADX/OAS Servers version 10 to patch 10.1.5 or later

HOTFIXUpdate Metasys ADS/ADX/OAS Servers version 11 to patch 11.0.2 or later

Long-term hardening

0/2

HARDENINGIsolate Metasys servers from the business network using firewalls; restrict access to only authorized engineering workstations and administrative devices

HARDENINGDisable direct Internet access to Metasys servers; if remote access is required, route it through a VPN with multi-factor authentication

CVEs (1)

CVE-2021-36207

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7b6bb9b7-a8ba-4b74-adcd-2d9141f44864