OTPulse
FeedAboutContact

Johnson Controls Metasys ADX Server

Plan Patch8.1ICS-CERT ICSA-22-277-01Oct 4, 2022
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Johnson Controls Metasys ADX Server version 12.0 contains an authentication bypass vulnerability in the Active Directory integration. An Active Directory user with valid credentials can execute validated actions without providing a valid password, allowing unauthorized modifications to building automation system settings and configurations.

What this means
What could happen
An attacker with Active Directory credentials could bypass authentication and modify building automation system settings, such as HVAC schedules, access controls, or fire safety parameters, without proper authorization or audit trail validation.
Who's at risk
Building automation system operators at facilities using Johnson Controls Metasys ADX Server for HVAC, lighting, access control, and fire safety management. This affects universities, hospitals, office buildings, data centers, and other facilities relying on Johnson Controls building management systems.
How it could be exploited
An attacker with valid Active Directory credentials connects to the Metasys ADX Server over the network (typically port 80/443) and submits a request to execute a validated action. The server fails to properly verify the password against the credentials, allowing the authenticated user to perform administrative actions they should not be permitted to do.
Prerequisites
  • Valid Active Directory user account credentials (username)
  • Network access to Metasys ADX Server (typically port 80/443)
  • Metasys ADX Server version 12.0 running with MVE integration enabled
remotely exploitablelow complexityrequires valid AD credentialsaffects building automation and safety systemsno patch available for version 12.0
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
Metasys ADX Server:12.012.0.1
Remediation & Mitigation
0/5
Do now
0/3
HARDENINGRestrict network access to Metasys ADX Server by placing it behind a firewall and denying inbound connections from business networks and the Internet
HARDENINGReview and restrict Active Directory user accounts that have access to Metasys ADX Server to only those who require it
HARDENINGMonitor Metasys ADX Server logs for unauthorized action execution and implement alerting for suspicious activity
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Metasys ADX Server version 12.0 to patch 12.0.1 (requires maintenance window and coordination with Johnson Controls or ABCS)
HARDENINGUse VPN with multi-factor authentication when remote access to Metasys ADX Server is required
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/0f9a321c-ec34-4793-8c41-79365e404483