OTPulse
FeedAboutContact

Johnson Controls Metasys

Plan Patch8ICS-CERT ICSA-22-125-01May 5, 2022
Attack VectorAdjacent
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

A privilege escalation vulnerability in Johnson Controls Metasys ADS/ADX/OAS servers (versions 10 and 11) allows an authenticated user to lock other users out of the system and take over their accounts. Johnson Controls has released patches: version 10 should be updated to patch 10.1.5, and version 11 to patch 11.0.2. The vulnerability requires valid user credentials and network access to the Metasys server.

What this means
What could happen
An authenticated user could lock other users out of the Metasys system and take over their accounts, potentially disrupting building automation and HVAC management across connected facilities.
Who's at risk
Building automation operators and facilities managers using Johnson Controls Metasys ADS, ADX, or OAS servers in versions 10 and 11. This affects control of HVAC systems, energy management, and other automated building functions in commercial buildings, hospitals, universities, and municipal facilities.
How it could be exploited
An attacker with valid credentials on a Metasys ADS/ADX/OAS server can exploit a privilege escalation flaw to lock out other users and seize control of their accounts. The attack requires network access to the Metasys server and valid user credentials.
Prerequisites
  • Network access to Metasys ADS/ADX/OAS server
  • Valid Metasys user account credentials
  • Authenticated session to the system
Requires valid user credentials to exploitCould lead to account takeover and denial of serviceAffects building automation systems that may impact occupant safety or operationsLow EPSS score (0.3%) suggests limited exploit likelihood in the wild
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (1)
ProductAffected VersionsFix Status
Metasys ADS/ADX/OAS Servers:10 | 11No fix yet
Remediation & Mitigation
0/5
Do now
0/2
HARDENINGEnforce least-privilege access controls—ensure users have only the permissions they need for their role
HARDENINGIsolate Metasys systems from the business network using a firewall; do not expose them to the Internet
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all Metasys v10 ADS/ADX/OAS servers to patch 10.1.5
HOTFIXUpdate all Metasys v11 ADS/ADX/OAS servers to patch 11.0.2
Long-term hardening
0/1
HARDENINGIf remote access to Metasys is required, use a VPN with strong authentication and keep it updated to the latest version
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/780f9ae0-34c6-4942-987a-9eb68ec56526