Login Sign Up

CVE-2021-36198

8.3 HIGH
Authentication Bypass

📋 TL;DR

CVE-2021-36198 is an information disclosure vulnerability in Johnson Controls Metasys products that allows unauthorized users to access sensitive data. This affects building automation systems running vulnerable versions of Metasys software. Organizations using these systems for facility management are at risk.

💻 Affected Systems

Products:
  • Johnson Controls Metasys
  • Johnson Controls Facility Explorer
Versions: Versions prior to 11.0.2
Operating Systems: Windows Server
Default Config Vulnerable: ⚠️ Yes
Notes: Affects Metasys Extended Application and Data Server (EAD) and Facility Explorer Front End (FEFE) components.

📦 What is this software?

Kantech Entrapass by Johnsoncontrols

View all CVEs affecting Kantech Entrapass →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain access to building control systems, sensitive operational data, and potentially pivot to other critical infrastructure systems.

🟠

Likely Case

Unauthorized access to building automation data, operational schedules, and system configurations.

🟢

If Mitigated

Limited data exposure with proper network segmentation and access controls in place.

🌐 Internet-Facing: HIGH - If exposed to internet, attackers can directly exploit without internal access.
🏢 Internal Only: MEDIUM - Requires internal network access but still significant if exploited.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Vulnerability allows unauthorized access without authentication, making exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 11.0.2 or later

Vendor Advisory: https://www.johnsoncontrols.com/cyber-solutions/security-advisories

Restart Required: Yes

Instructions:

1. Download Metasys 11.0.2 or later from Johnson Controls support portal. 2. Backup current configuration. 3. Install update following vendor documentation. 4. Restart affected services/systems.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Metasys systems from untrusted networks and implement strict firewall rules.

Access Control Restrictions

all

Implement strict network access controls and limit connections to authorized IP addresses only.

🧯 If You Can't Patch

  • Implement strict network segmentation and isolate affected systems from untrusted networks
  • Deploy network monitoring and intrusion detection specifically for Metasys traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check Metasys version in System Configuration or About dialog. Versions prior to 11.0.2 are vulnerable.

Check Version:

Check via Metasys System Configuration interface or Windows Programs and Features

Verify Fix Applied:

Verify version is 11.0.2 or later and test that unauthorized access to sensitive endpoints is blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to Metasys endpoints
  • Unusual data access patterns from unexpected sources

Network Indicators:

  • Unusual traffic to Metasys ports (typically 80/443)
  • Unauthorized API calls to sensitive endpoints

SIEM Query:

source_ip NOT IN (authorized_ips) AND dest_port IN (80,443) AND dest_ip IN (metasys_servers)

📊 Metadata

CVE ID: CVE-2021-36198
CVSS v3 Score: 8.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
CWE: CWE-200
Published: December 6, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36198, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)