Johnson Controls Metasys Vulnerability: 2026 SQL Exposure Threatens Critical Infrastructure
Executive Summary
In January 2026, Johnson Controls disclosed a critical vulnerability (CVE-2025-26385) affecting multiple Metasys products including the Application and Data Server (ADS), Extended Application and Data Server (ADX), LCS8500, NAE8500, System Configuration Tool (SCT), and Controller Configuration Tool (CCT). The flaw, stemming from improper neutralization of special elements used in a command, could allow remote, unauthenticated attackers to execute arbitrary SQL statements, leading to potential alteration or loss of critical data. Attackers could exploit the issue remotely over network-exposed ports, causing high impact to confidentiality, integrity, and availability across critical infrastructure sectors worldwide.
This incident underscores the increasing risks posed by vulnerabilities in operational technology and industrial control systems. As attackers continue to target widely deployed OT/ICS solutions, organizations must accelerate patch deployment, network segmentation, and adopt hardened security practices to protect essential services and meet evolving regulatory expectations.
Why This Matters Now
With industrial control systems underpinning critical sectors, the discovery of exploitable flaws in widely used OT products like Johnson Controls' Metasys platform presents immediate risk. Attackers exploiting such vulnerabilities could disrupt essential operations, making rapid mitigation and adoption of robust segmentation vital to safeguard global infrastructure.
Attack Path Analysis
The attacker remotely exploits CVE-2025-26385, allowing unauthorized SQL command execution on exposed Johnson Controls products. With access to the application, the adversary escalates privileges, potentially gaining admin rights through exploitation. They pivot across systems within the segmented network, seeking valuable data or additional control. The attacker establishes a command and control channel to maintain persistence and orchestrate further activity. Sensitive data is exfiltrated using outbound connections or covert channels. Finally, the attacker manipulates or destroys data, potentially impacting operations or causing service disruption.
Kill Chain Progression
Initial Compromise
Description
Attacker gains remote access by exploiting an exposed SQL injection vulnerability (CVE-2025-26385) in the Johnson Controls application, likely through direct internet exposure of TCP port 1433.
Related CVEs
CVE-2025-26385
CVSS 10An improper neutralization of special elements used in a command ('Command Injection') vulnerability in Johnson Controls products allows remote SQL execution, potentially leading to data alteration or loss.
Affected Products:
Johnson Controls Application and Data Server (ADS) – <=14.1
Johnson Controls Extended Application and Data Server (ADX) – <=14.1
Johnson Controls LCS8500 – >=12.0, <=14.1
Johnson Controls NAE8500 – >=12.0, <=14.1
Johnson Controls System Configuration Tool (SCT) – <=17.1
Johnson Controls Controller Configuration Tool (CCT) – <=17.0
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter: Visual Basic
Server Software Component: SQL Database
Data Manipulation: Stored Data Manipulation
Data Manipulation: Transmitted Data Manipulation
Network Service Discovery
System Information Discovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Requirement for Secure Coding Practices
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – Implementation of ICT Security Policies and Procedures
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – Segmentation of Trusted and Untrusted Networks
Control ID: Network Segmentation and Isolation
NIS2 Directive – Supply Chain Security and Vulnerability Handling
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Commercial Real Estate
Johnson Controls building management systems vulnerability enables remote SQL injection attacks compromising HVAC controls, access systems, and critical facility operations across commercial properties.
Health Care / Life Sciences
Critical CVSS 10 vulnerability in Johnson Controls Metasys systems threatens hospital building controls, patient safety systems, and HIPAA compliance through potential data breaches.
Government Administration
Government facilities using Johnson Controls building automation face remote command injection risks affecting security systems, environmental controls, and sensitive operational infrastructure protection.
Higher Education/Acadamia
Educational institutions with Johnson Controls building systems exposed to critical vulnerability allowing unauthorized access to campus infrastructure, HVAC controls, and facility security mechanisms.
Sources
- Johnson Controls Productshttps://www.cisa.gov/news-events/ics-advisories/icsa-26-027-04Verified
- Johnson Controls Product Security Advisory JCI-PSA-2026-02https://www.johnsoncontrols.com/-/media/jci/psa-2026-02.pdfVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
This incident highlights clear CNSF and Zero Trust relevance, as layered segmentation, east-west traffic controls, and egress governance could have constrained attacker movement post-compromise, limited privilege escalation, and blocked data exfiltration even after initial exploit. Strong identity-aware access, workload isolation, and strict monitoring would have aided in detection or prevention at multiple attack phases.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Network and workload segmentation could have restricted direct internet access to the SQL service, minimizing exposure to exploitation.
Control: Zero Trust Segmentation
Mitigation: Segmented identity and privilege boundaries could have limited an attacker's lateral privilege escalation within the environment.
Control: East-West Traffic Security
Mitigation: Lateral movement would have been impeded by stringent east-west policy enforcement and continuous monitoring between network segments.
Control: Multicloud Visibility & Control
Mitigation: Centralized visibility and outbound connection control could have detected or blocked unauthorized command and control attempts.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound policy enforcement could have blocked unauthorized data transfers and flagged suspicious exfiltration attempts.
If lateral movement or exfiltration was effectively constrained, the extent of destructive impact could have been minimized.
Impact at a Glance
Affected Business Functions
- Building Management Systems
Estimated downtime: 3 days
Estimated loss: $500,000
Potential alteration or loss of critical building management data.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately patch vulnerable Johnson Controls applications and close unneeded management ports (e.g., TCP 1433).
- • Enforce microsegmentation and zero trust policies to isolate high-value ICS workloads from business and external networks.
- • Implement strict egress filtering and outbound FQDN policies to limit data exfiltration and command channels.
- • Activate real-time anomaly detection and inline IPS to monitor and respond to suspicious behavior across the cloud fabric.
- • Centralize visibility across multi-cloud and hybrid environments to quickly identify, investigate, and contain future threats.
