Johnson Controls Metasys Products
Act Now10ICS-CERT ICSA-26-027-04Jan 27, 2026
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
This vulnerability allows remote SQL injection execution against the Metasys database server. An unauthenticated attacker on the network can send crafted SQL commands to TCP port 1433 to execute arbitrary database operations. Successful exploitation could result in modification or deletion of critical building automation data, alteration of control setpoints, or disruption of HVAC and facility operations. The vulnerability affects Metasys ADS (version 14.1 and earlier), ADX (version 14.1), LCS8500 and NAE8500 controllers (versions 12.0 through 14.1), and engineering tools SCT (17.1 and earlier) and CCT (17.0 and earlier).
What this means
What could happen
An attacker could execute arbitrary SQL commands on the Metasys database, potentially altering setpoints, disabling alarms, corrupting historical data, or shutting down HVAC and building automation processes across your facility.
Who's at risk
Building automation and HVAC operators at water authorities, utilities, and municipal facilities running Johnson Controls Metasys systems versions 12.0 through 17.1. This includes Application and Data Servers (ADS/ADX), networked controllers (LCS8500, NAE8500), and engineering workstations running the System Configuration Tool (SCT) or Controller Configuration Tool (CCT).
How it could be exploited
An attacker on the network sends a specially crafted SQL injection payload to the affected Metasys server (typically on TCP port 1433). The vulnerability allows the attacker to execute arbitrary SQL commands without authentication, bypassing the application layer entirely and interacting directly with the underlying database.
Prerequisites
- Network access to TCP port 1433 on the Metasys server
- No authentication credentials required
remotely exploitableno authentication requiredlow complexityaffects building automation and critical HVAC systemsdefault/unauthenticated database accessvendor has not released patch
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (6)
6 EOL
ProductAffected VersionsFix Status
Metasys Application and Data Server (ADS): <=14.1≤ 14.1No fix (EOL)
Metasys Extended Application and Data Server (ADX): 14.114.1No fix (EOL)
Metasys LCS8500: >=12.0|<=14.1≥ 12.0|≤ 14.1No fix (EOL)
Metasys NAE8500: >=12.0|<=14.1≥ 12.0|≤ 14.1No fix (EOL)
Metasys System Configuration Tool (SCT): <=17.1≤ 17.1No fix (EOL)
Metasys Controller Configuration Tool (CCT): <=17.0≤ 17.0No fix (EOL)
Remediation & Mitigation
0/3
Do now
0/1WORKAROUNDClose incoming TCP port 1433 at the firewall or network boundary to block external access to the Metasys database
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXApply the Metasys patch for GIV-165989 from the Johnson Controls License Portal (requires login)
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: Metasys Application and Data Server (ADS): <=14.1, Metasys Extended Application and Data Server (ADX): 14.1, Metasys LCS8500: >=12.0|<=14.1, Metasys NAE8500: >=12.0|<=14.1, Metasys System Configuration Tool (SCT): <=17.1, Metasys Controller Configuration Tool (CCT): <=17.0. Apply the following compensating controls:
HARDENINGImplement network segmentation so Metasys servers are isolated from untrusted networks (internet, guest networks, non-critical IT systems) per the Metasys Release 14 Hardening Guide
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/2c555d16-f060-4055-8d39-7f206c530028