OTPulse
FeedAboutContact

Johnson Controls Metasys ADS, ADX, OAS

Monitor5.3ICS-CERT ICSA-22-202-02Jul 21, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Johnson Controls Metasys ADS, ADX, and OAS building automation systems with the MUI (Management User Interface) component contain an authentication bypass vulnerability that allows unauthenticated users to access the Metasys web API and enumerate system users. The vulnerability affects versions 10 and 11.

What this means
What could happen
An attacker could enumerate valid user accounts on your Metasys building automation system without credentials, enabling account enumeration for further targeted attacks. This could lead to unauthorized access to building control systems, potentially allowing manipulation of HVAC, lighting, and other building mechanical systems.
Who's at risk
Building managers and facility engineers at organizations using Johnson Controls Metasys ADS, ADX, or OAS systems for central building automation and management. This includes utilities, hospitals, office buildings, data centers, and any facility relying on Metasys for HVAC, lighting, fire safety, and security system control.
How it could be exploited
An attacker on the network (or from the internet if the device is exposed) connects directly to the Metasys web API without providing credentials. The vulnerability allows the attacker to query API endpoints that should require authentication, extracting a list of valid user accounts. This information can then be used for password guessing, social engineering, or other follow-on attacks.
Prerequisites
  • Network connectivity to the Metasys web API port (typically port 80 or 443)
  • No authentication required for initial API access
remotely exploitableno authentication requiredlow complexityaffects building automation and safety systems
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (2)
2 pending
ProductAffected VersionsFix Status
Johnson Controls Metasys ADS ADX OAS with MUI:11No fix yet
Johnson Controls Metasys ADS ADX OAS with MUI:10No fix yet
Remediation & Mitigation
0/5
Do now
0/1
WORKAROUNDImplement firewall rules to restrict network access to Metasys web API—only allow connections from authorized engineering workstations and management systems
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Metasys ADS/ADX/OAS version 10 to patch 10.1.6 or later
HOTFIXUpdate Metasys ADS/ADX/OAS version 11 to patch 11.0.2 or later
Long-term hardening
0/2
HARDENINGEnsure Metasys systems are not directly accessible from the internet; place behind a VPN or secure gateway if remote access is required
HARDENINGSegment building automation networks from general IT/business networks to limit lateral movement if an attacker gains access
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/789a31f5-c5b2-416e-b491-19656cffade1