---
title: "Critical SQL Injection Flaw in Johnson Controls Products: Patch Now"
short_title: "Critical SQL injection flaw in Johnson Controls"
description: "Johnson Controls warns of a critical SQL injection vulnerability (CVE-2025-26385) in its ADS, ADX, and other products. Learn mitigation steps and protect your systems."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [johnson-controls, cve-2025-26385, sql-injection, critical-vulnerability, ot-security]
score: 0.87
cve_ids: [CVE-2025-26385]
---
TL;DR
Johnson Controls has disclosed a critical SQL injection vulnerability (CVE-2025-26385) affecting multiple products, including its Application and Data Server (ADS) and Extended Application and Data Server (ADX). If exploited, this flaw could enable remote SQL execution, leading to data alteration or loss. Immediate patching and network segmentation are strongly recommended to mitigate risks.
---
Main Content
Critical Vulnerability Exposes Johnson Controls Products to Remote Attacks
A severe security flaw in Johnson Controls products has raised alarms across critical infrastructure sectors. The vulnerability, tracked as CVE-2025-26385, allows attackers to execute remote SQL injection attacks, potentially compromising sensitive data and operational integrity. With a CVSS score of 10.0 (Critical), this flaw demands immediate attention from organizations relying on affected systems.
---
Key Points
- Vulnerability: CVE-2025-26385 enables remote SQL execution due to improper neutralization of special elements in commands.
- Affected Products: Johnson Controls ADS, ADX, LCS8500, NAE8500, System Configuration Tool (SCT), and Controller Configuration Tool (CCT).
- Impact: Successful exploitation could lead to data alteration, loss, or unauthorized system access.
- Mitigation: Apply the Metasys patch for GIV-165985, segment networks, and close TCP port 1433.
- Sectors at Risk: Commercial facilities, critical manufacturing, energy, government services, and transportation systems.
---
Technical Details
The vulnerability stems from improper neutralization of special elements in SQL commands, classified under CWE-77 (Command Injection). Attackers can exploit this flaw remotely without authentication, making it particularly dangerous for organizations with exposed systems.
#### Affected Versions:
- Application and Data Server (ADS): ≤ Metasys_14.1
- Extended Application and Data Server (ADX): Metasys_14.1
- LCS8500: ≥ Metasys_installation_12.0 and ≤ 14.1
- NAE8500: ≥ Metasys_installation_12.0 and ≤ 14.1
- System Configuration Tool (SCT): ≤ 17.1
- Controller Configuration Tool (CCT): ≤ 17.0
#### CVSS Metrics:
- Base Score: 10.0 (Critical)
- Vector String: [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
- Impact: High confidentiality, integrity, and availability risks.
---
Impact Assessment
The vulnerability poses a significant threat to organizations using Johnson Controls products, particularly those in critical infrastructure sectors. Exploitation could disrupt operations, compromise sensitive data, and enable further attacks on connected systems. Given the global deployment of these products, the potential for widespread impact is high.
#### At-Risk Sectors:
- Commercial Facilities
- Critical Manufacturing
- Energy
- Government Services and Facilities
- Transportation Systems
---
Mitigation Steps
Johnson Controls has released urgent mitigation measures to address this vulnerability:
1. Apply the Patch: Download and execute the Metasys patch for GIV-165985 from the [Johnson Controls License Portal](https://www.johnsoncontrols.com).
2. Network Segmentation: Follow the Metasys Release 14 Hardening Guide to isolate systems from untrusted networks.
3. Close TCP Port 1433: Block incoming traffic on this port to prevent exploitation.
4. Review Advisory: Consult the [Johnson Controls Product Security Advisory JCI-PSA-2026-02](https://www.johnsoncontrols.com) for detailed instructions.
---
Recommended Practices
CISA recommends the following defensive measures to minimize exploitation risks:
- Minimize Network Exposure: Ensure control system devices are not accessible from the internet.
- Use Firewalls: Isolate control system networks from business networks.
- Secure Remote Access: Use Virtual Private Networks (VPNs) for remote access, ensuring they are updated to the latest version.
- Perform Risk Assessments: Conduct thorough impact analysis before deploying defensive measures.
For additional guidance, refer to CISA’s [ICS webpage](https://www.cisa.gov/ics) and the technical information paper [ICS-TIP-12-146-01B](https://www.cisa.gov/ics).
---
Conclusion
The CVE-2025-26385 vulnerability in Johnson Controls products underscores the critical importance of proactive cybersecurity measures in operational technology (OT) environments. Organizations must apply patches immediately, segment networks, and follow best practices to mitigate risks. Failure to act could result in severe operational disruptions, data breaches, and compromised infrastructure.
Stay vigilant and prioritize cybersecurity to safeguard critical systems from emerging threats.
---
References
[^1]: CISA. "[ICSA-26-027-04 Johnson Controls Products](https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-04)". Retrieved 2025-01-24.
[^2]: Johnson Controls. "[Product Security Advisory JCI-PSA-2026-02](https://www.johnsoncontrols.com)". Retrieved 2025-01-24.
[^3]: NIST. "[CVE-2025-26385 Detail](https://nvd.nist.gov/vuln/detail/CVE-2025-26385)". Retrieved 2025-01-24.