Johnson Controls Metasys ADS ADX OAS Servers

Plan Patch8.7ICS-CERT ICSA-22-165-01Jun 14, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Johnson Controls Metasys ADS, ADX, and OAS servers (Versions 10 and 11) contain cross-site scripting (CWE-79) and improper access control (CWE-620) vulnerabilities in their web interfaces. These flaws could allow an authenticated attacker to steal administrator passwords and inject malicious code, enabling unauthorized modification of building automation configurations or further compromise of the network.

What this means

What could happen

An attacker with internal network access could steal administrator passwords and inject malicious code into the web interface, potentially allowing unauthorized control of building automation systems or further network compromise.

Who's at risk

Building automation administrators and operators at water utilities, municipal electric utilities, hospitals, and other facilities running Johnson Controls Metasys ADS, ADX, or OAS servers for HVAC, lighting, and environmental control systems.

How it could be exploited

An authenticated user (or attacker with internal network credentials) visits the Metasys web interface, which is vulnerable to cross-site scripting (XSS) and password exposure flaws. The attacker exploits XSS to inject malicious JavaScript that steals session tokens or administrative passwords, then uses those credentials to modify system configurations or inject further malicious code.

Prerequisites

Internal network access to the Metasys ADS/ADX/OAS web server (typically port 80/443)
Valid user credentials to log into the web interface, or ability to trick an authenticated user into visiting a malicious link

Requires valid credentials (reduces but does not eliminate risk)Low complexity attack once inside the networkAffects web-based control interface—could lead to unauthorized system changesXSS and password exposure vulnerabilities allow lateral movement or privilege escalation

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

All Metasys ADS/ADX/OAS:10 | 11No fix yet

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict network access to the Metasys web interface—do not expose it to the Internet; place it behind a firewall and isolate the building automation network from the business network

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Metasys ADS/ADX/OAS Version 10 to patch 10.1.5 or later

HOTFIXUpdate Metasys ADS/ADX/OAS Version 11 to patch 11.0.2 or later

Long-term hardening

0/1

HARDENINGIf remote access to Metasys is required, use a VPN with current security patches and multi-factor authentication for administrative accounts

CVEs (3)

CVE-2022-21935 CVE-2022-21937 CVE-2022-21938

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/487595c0-6e52-4e02-b11f-4493b6109f9e