Critical

SQL Injection in Johnson Controls Metasys SQL Express Deployments

IdentifiersCVE-2025-26385CWE-77· Improper Neutralization of Special…

CVE-2025-26385 is a maximum-severity vulnerability affecting multiple Johnson Controls Metasys components when Microsoft SQL Express is deployed as part of the installation. The issue is described by the vendor as improper neutralization of special elements used in a command, mapped to CWE-77, and the supporting advisories characterize the practical outcome as SQL injection leading to remote SQL execution. Affected products include Metasys Application and Data Server (ADS) installed with SQL Express in Metasys 14.1 and prior, Extended Application and Data Server (ADX) installed with SQL Express in Metasys 14.1, LCS8500 and NAE8500 installed with SQL Express in Metasys releases 12.0 through 14.1, System Configuration Tool (SCT) 17.1 and prior when installed with SQL Express, and Controller Configuration Tool (CCT) 17.0 and prior when installed with SQL Express. Successful exploitation allows an unauthenticated remote attacker to execute arbitrary SQL commands against the backend database.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can provide unauthenticated remote SQL execution against the affected Metasys backend database. This can enable attackers to read, modify, or delete data, including potentially sensitive operational and configuration data. In the building automation context described in the supporting content, this could result in exfiltration of sensitive data, destruction or alteration of historical records, manipulation of system data that influences physical building environments, and broader operational disruption of affected Metasys deployments. The advisory material assigns the issue a CVSS v3 score of 10.0, reflecting critical impact.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, close inbound TCP port 1433 to reduce exposure to SQL Server traffic. Isolate control system networks from the internet, place them behind firewalls, and separate them from business networks. Ensure Metasys installations are on segmented networks and not exposed to untrusted networks. Follow the Metasys Release 14 Hardening Guide. Where remote access is required, use VPNs that are fully patched and ensure the security of connected endpoints. For legacy systems that cannot be patched promptly, use network segmentation and, where operationally feasible, air-gapping.

Remediation

Patch, then assume compromise.

Apply the Johnson Controls Metasys patch for GIV-165989 from the Johnson Controls License Portal. Organizations should update affected ADS, ADX, LCS8500, NAE8500, SCT, and CCT deployments that include SQL Express, and prioritize systems in exposed or high-impact environments. Follow Johnson Controls product security advisories and associated CISA ICS guidance to ensure all affected versions are remediated.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Johnson ControlsController Configuration Tool (Cct)application

Johnson ControlsLcs8500hardware

Johnson ControlsMetasys Application And Data Server (Ads)application

Johnson ControlsMetasys Extended Application And Data Server (Adx)application

Johnson ControlsNae8500hardware

Johnson ControlsSystem Configuration Tool (Sct)application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app

the hacker newsNews

Feb 2, 2026

⚡ Weekly Recap: Proxy Botnet, Office Zero-Day, MongoDB Ransoms, AI Hijacks & New Threats

Unknown (listed as a trending CVE affecting Johnson Controls; no technical details provided in the content).

cyber security newsNews

Feb 1, 2026

Critical Johnson Controls Products Vulnerabilities Enables Remote SQL Injection Attacks

A critical unauthenticated SQL injection vulnerability in multiple Johnson Controls ICS applications that can allow remote attackers to execute arbitrary SQL commands, enabling data alteration, deletion, or exfiltration.

security online infoNews

Jan 30, 2026

Smart Buildings at Risk: Critical Johnson Controls Flaw (CVSS 10) Allows Remote SQL Injection

A critical (CVSS 10.0) vulnerability in Johnson Controls Metasys (ADS/ADX and related tools) that can allow remote SQL execution via SQL injection, potentially enabling attackers to alter or destroy building automation data and disrupt operations.

cvefeed high severityNews

Feb 6, 2026

CVE-2025-26385 - Metasys product command injection vulnerability could allow remote SQL execution

A command injection vulnerability in Johnson Controls Metasys components (when installed with SQL Express) that could allow remote SQL execution.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5