CVE-2021-27657

Successful exploitation of this vulnerability could give an authenticated Metasys user an unintended level of access to the server file system, allowing them to access or modify system files by sending specifically crafted web messages to the Metasys system. This issue affects: Johnson Controls Metasys version 11.0 and prior versions.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
jciCNA
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 51%
VendorProductVersion
johnsoncontrolsmetasys
𝑥
≤ 11.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://us-cert.cisa.gov/ics/advisories/icsa-21-159-01
https://us-cert.gov/ics/advisories
https://www.johnsoncontrols.com/cyber-solutions/security-advisories
https://us-cert.cisa.gov/ics/advisories/icsa-21-159-01
https://us-cert.gov/ics/advisories
https://www.johnsoncontrols.com/cyber-solutions/security-advisories