CVE-2025-26385
Unknown
Unknown - Not Provided
Command Injection in Johnson Controls Metasys SQL Express Components
Publication date: 2026-01-30
Last updated on: 2026-01-30
Assigner: Johnson Controls
Description
Description
Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affectsΒ
* Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation,Β
* Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation,Β
* LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1,Β
* System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior,Β
* Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| johnson_controls | metasys_application_and_data_server | to 14.1 (exc) |
| johnson_controls | extended_application_and_data_server | to 14.1 (exc) |
| johnson_controls | lcs8500 | From 12.0 (inc) to 14.1 (inc) |
| johnson_controls | nae8500 | From 12.0 (inc) to 14.1 (inc) |
| johnson_controls | system_configuration_tool | to 17.1 (exc) |
| johnson_controls | controller_configuration_tool | to 17.0 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Command Injection issue in various Johnson Controls Metasys components that use SQL Express. It involves improper neutralization of special elements in commands, which could allow an attacker to execute remote SQL commands on affected systems.
How can this vulnerability impact me? :
Exploitation of this vulnerability could allow an attacker to remotely execute SQL commands, potentially leading to unauthorized access, data manipulation, or disruption of the affected Metasys systems.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70