CVE-2025-26385

EUVD-2025-206581

30.01.2026, 11:15

Johnson Controls Metasys component listed below have  Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects 



  *  Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation, 
  *  Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation, 
  *  LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1, 
  *  System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior, 
  *  Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior.

Command Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 48%

Common Weakness Enumeration

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-04

https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories