Vulnerability Description
Unrestricted file upload vulnerability in unspecified web services in Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integration Engine (NIE) 5xxx-x, and NxE8500, allows remote attackers to execute arbitrary code by uploading a shell script.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Johnsoncontrols | Metsys | 4.1 |
| Johnsoncontrols | Application And Data Server | - |
| Johnsoncontrols | Extended Application And Data Server | - |
| Johnsoncontrols | Lonworks Control Server Lcs8520 | - |
| Johnsoncontrols | Network Automation Engine 5510-2 | - |
| Johnsoncontrols | Network Automation Engine 5510-2U | - |
| Johnsoncontrols | Network Automation Engine 5511-2 | - |
| Johnsoncontrols | Network Automation Engine 5520-2 | - |
| Johnsoncontrols | Network Automation Engine 5521-2 | - |
| Johnsoncontrols | Network Integration Engine 5510-2 | - |
| Johnsoncontrols | Network Integration Engine 5511-2 | - |
| Johnsoncontrols | Nxe8500 | - |
References
- https://ics-cert.us-cert.gov/advisories/ICSA-14-350-02Third Party AdvisoryUS Government Resource
- https://ics-cert.us-cert.gov/advisories/ICSA-14-350-02Third Party AdvisoryUS Government Resource
FAQ
What is CVE-2014-5428?
CVE-2014-5428 is a vulnerability with a CVSS score of 10.0 (HIGH). Unrestricted file upload vulnerability in unspecified web services in Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ...
How severe is CVE-2014-5428?
CVE-2014-5428 has been rated HIGH with a CVSS base score of 10.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-5428?
Check the references section above for vendor advisories and patch information. Affected products include: Johnsoncontrols Metsys, Johnsoncontrols Application And Data Server, Johnsoncontrols Extended Application And Data Server, Johnsoncontrols Lonworks Control Server Lcs8520, Johnsoncontrols Network Automation Engine 5510-2.