Johnson Controls Metasys and Facility Explorer (Update A)

Plan Patch7.5ICS-CERT ICSA-23-341-03Dec 7, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Johnson Controls Metasys and Facility Explorer products are vulnerable to denial-of-service attacks. An attacker can send invalid credentials to cause the affected network automation engines (NAE55, SNE, SNC) and Facility Explorer F4-SNC controllers to become unresponsive. The vulnerability affects devices running firmware versions below 11.0.6 or 12.0.4 (depending on product line).

What this means

What could happen

An attacker could crash building automation controllers with invalid login attempts, disrupting HVAC, lighting, and other facility systems. The denial-of-service condition persists until the device is manually restarted.

Who's at risk

Building automation and facility management teams relying on Johnson Controls Metasys building automation systems and Facility Explorer. Affects NAE55, SNE, and SNC engine controllers used to manage HVAC, lighting, access control, and other facility systems in commercial buildings, hospitals, and industrial facilities.

How it could be exploited

An attacker with network access to the affected engine or controller can send a series of invalid authentication requests to port 502 (Metasys protocol) or the web interface. The device fails to properly rate-limit or validate these requests, becoming unresponsive and unable to process legitimate commands or monitoring requests.

Prerequisites

Network access to the affected Metasys engine or Facility Explorer controller (reachable from within facility network or via remote access)
No valid credentials required

Remotely exploitableNo authentication requiredLow complexity attackAffects facility operations and control systemsDenial-of-service impact

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (8)

8 with fix

ProductAffected VersionsFix Status

Metasys SNE engines: <12.0.4<12.0.411.0.6 or 12.0.4

Metasys SNC engines: <11.0.6<11.0.611.0.6 or 12.0.4

Facility Explorer F4-SNC: <11.0.6<11.0.611.0.6 or 12.0.4

Metasys NAE55 engines: <11.0.6<11.0.611.0.6 or 12.0.4

Metasys SNE engines: <11.0.6<11.0.611.0.6 or 12.0.4

Metasys NAE55 engines: <12.0.4<12.0.411.0.6 or 12.0.4

Metasys SNC engines: <12.0.4<12.0.411.0.6 or 12.0.4

Facility Explorer F4-SNC: <12.0.4<12.0.411.0.6 or 12.0.4

Remediation & Mitigation

0/7

Do now

0/2

HARDENINGIsolate building automation network from business network with firewall rules; block unauthorized inbound connections to Metasys engines

HARDENINGRestrict network access to affected engines to known facility engineering workstations and administrative systems only

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Metasys NAE55 engines to version 11.0.6 or 12.0.4

HOTFIXUpdate Metasys SNE engines to version 11.0.6 or 12.0.4

HOTFIXUpdate Metasys SNC engines to version 11.0.6 or 12.0.4

HOTFIXUpdate Facility Explorer F4-SNC to version 11.0.6 or 12.0.4

Long-term hardening

0/1

HARDENINGMonitor Metasys engine logs for repeated failed authentication attempts; configure alerts for DoS patterns

CVEs (1)

CVE-2023-4486

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/538d285d-3c69-4995-8071-7d4a89d38d88