CVE-2025-26385

Vulnerability Description

Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects  * Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation,  * Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation,  * LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1,  * System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior,  * Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior.

Related Weaknesses (CWE)

References

• https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-04
• https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories

FAQ

What is CVE-2025-26385?

CVE-2025-26385 is a documented vulnerability. Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability co...

How severe is CVE-2025-26385?

CVSS scoring is not yet available for CVE-2025-26385. Check NVD for updates.

Is there a patch for CVE-2025-26385?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.