Johnson Controls Metasys Products

Plan PatchCVSS 10ICS-CERT ICSA-26-027-04Jan 27, 2026

Johnson Controls

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Johnson Controls Metasys products contain a vulnerability that allows remote SQL execution, potentially leading to alteration or loss of data. Affected versions include Metasys Application and Data Server (ADS) through 14.1, Extended Application and Data Server (ADX) version 14.1, LCS8500 and NAE8500 versions 12.0-14.1, System Configuration Tool (SCT) through 17.1, and Controller Configuration Tool (CCT) through 17.0.

What this means

What could happen

An attacker could execute arbitrary SQL commands on the Metasys database, allowing them to modify building automation setpoints, disable alarms, or delete operational data. This could disrupt HVAC, lighting, or other critical building systems that depend on Metasys configuration.

Who's at risk

Building automation operators and facility managers using Johnson Controls Metasys systems for HVAC, lighting, and occupancy control. This affects organizations running Metasys Application and Data Server, Extended Application and Data Server, network appliances (LCS8500, NAE8500), and configuration tools in versions through mid-2024 releases.

How it could be exploited

An attacker with network access to TCP port 1433 (SQL Server) can send crafted SQL commands to the Metasys database without authentication. The attack does not require prior access or credentials and can be executed directly from an untrusted network if the database port is exposed.

Prerequisites

Network connectivity to TCP port 1433 on affected Metasys servers
Metasys products running vulnerable versions (ADS ≤14.1, ADX 14.1, LCS8500/NAE8500 12.0-14.1, SCT ≤17.1, CCT ≤17.0)

remotely exploitableno authentication requiredlow complexityaffects operational systemsno patch available

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (6)

6 EOL

ProductAffected VersionsFix Status

Metasys Application and Data Server (ADS): <=14.1≤ 14.1No fix (EOL)

Metasys Extended Application and Data Server (ADX): 14.114.1No fix (EOL)

Metasys LCS8500: >=12.0|<=14.1≥ 12.0|≤ 14.1No fix (EOL)

Metasys NAE8500: >=12.0|<=14.1≥ 12.0|≤ 14.1No fix (EOL)

Metasys System Configuration Tool (SCT): <=17.1≤ 17.1No fix (EOL)

Metasys Controller Configuration Tool (CCT): <=17.0≤ 17.0No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDBlock incoming TCP port 1433 at the network firewall to prevent remote SQL Server access from untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXDownload and apply patch GIV-165989 from the Johnson Controls License Portal for affected Metasys products

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: Metasys Application and Data Server (ADS): <=14.1, Metasys Extended Application and Data Server (ADX): 14.1, Metasys LCS8500: >=12.0|<=14.1, Metasys NAE8500: >=12.0|<=14.1, Metasys System Configuration Tool (SCT): <=17.1, Metasys Controller Configuration Tool (CCT): <=17.0. Apply the following compensating controls:

HARDENINGIsolate all Metasys servers on a segmented network physically or logically separated from the internet and untrusted networks

HARDENINGReview and implement Johnson Controls Metasys Release 14 Hardening Guide recommendations for secure network architecture

CVEs (1)

CVE-2025-26385

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2c555d16-f060-4055-8d39-7f206c530028

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.