CVE-2025-26385
Unknown
Unknown - Not Provided
Command Injection in Johnson Controls Metasys SQL Express Components
Publication date: 2026-01-30
Last updated on: 2026-01-30
Assigner: Johnson Controls
Description
Description
Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affectsΒ
* Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation,Β
* Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation,Β
* LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1,Β
* System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior,Β
* Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| johnson_controls | metasys_application_and_data_server | to 14.1 (exc) |
| johnson_controls | extended_application_and_data_server | to 14.1 (exc) |
| johnson_controls | lcs8500 | From 12.0 (inc) to 14.1 (inc) |
| johnson_controls | nae8500 | From 12.0 (inc) to 14.1 (inc) |
| johnson_controls | system_configuration_tool | to 17.1 (exc) |
| johnson_controls | controller_configuration_tool | to 17.0 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
