CVE-2022-21938
📋 TL;DR
This cross-site scripting (XSS) vulnerability in Johnson Controls Metasys building automation systems allows attackers to inject malicious scripts into the MUI Graphics web interface. When exploited, it could enable session hijacking, credential theft, or redirection to malicious sites. Affected users include organizations running Metasys ADS/ADX/OAS versions 10 prior to 10.1.5 or versions 11 prior to 11.0.2.
💻 Affected Systems
- Metasys ADS
- Metasys ADX
- Metasys OAS
📦 What is this software?
Metasys Application And Data Server by Johnsoncontrols
View all CVEs affecting Metasys Application And Data Server →
Metasys Application And Data Server by Johnsoncontrols
View all CVEs affecting Metasys Application And Data Server →
Metasys Application And Data Server by Johnsoncontrols
View all CVEs affecting Metasys Application And Data Server →
Metasys Extended Application And Data Server by Johnsoncontrols
View all CVEs affecting Metasys Extended Application And Data Server →
Metasys Extended Application And Data Server by Johnsoncontrols
View all CVEs affecting Metasys Extended Application And Data Server →
Metasys Extended Application And Data Server by Johnsoncontrols
View all CVEs affecting Metasys Extended Application And Data Server →
Metasys Open Application Server by Johnsoncontrols
Metasys Open Application Server by Johnsoncontrols
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of building automation system, unauthorized control of HVAC, lighting, or security systems, data exfiltration, and lateral movement to other network segments.
Likely Case
Session hijacking, credential theft from authenticated users, defacement of web interface, or redirection to phishing sites.
If Mitigated
Limited impact with proper input validation and output encoding, potentially only affecting user interface elements without system compromise.
🎯 Exploit Status
Exploitation requires user interaction with the web interface; typical XSS exploitation techniques apply.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.1.5 for version 10, 11.0.2 for version 11
Vendor Advisory: https://www.johnsoncontrols.com/cyber-solutions/security-advisories
Restart Required: Yes
Instructions:
1. Download patches from Johnson Controls support portal. 2. Apply patch to affected Metasys servers. 3. Restart the Metasys services. 4. Verify patch installation through version check.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Metasys systems from untrusted networks and limit access to authorized users only.
Web Application Firewall
allDeploy WAF with XSS protection rules to filter malicious input.
🧯 If You Can't Patch
- Implement strict input validation and output encoding in custom web interfaces.
- Use Content Security Policy (CSP) headers to restrict script execution sources.
🔍 How to Verify
Check if Vulnerable:
Check Metasys server version via web interface or system properties; versions below 10.1.5 (for v10) or 11.0.2 (for v11) are vulnerable.Check Version:
Check via Metasys web interface or server console; specific command varies by installation.Verify Fix Applied:
Confirm version is 10.1.5 or higher for v10, or 11.0.2 or higher for v11, and test XSS payloads in MUI Graphics interface.📡 Detection & Monitoring
Log Indicators:
- Unusual script tags or JavaScript in web request logs
- Multiple failed login attempts followed by script injection
Network Indicators:
- HTTP requests containing script tags or JavaScript to Metasys web endpoints
- Unusual outbound connections from Metasys server
SIEM Query:
source="metasys_web_logs" AND (http_request CONTAINS "<script>" OR http_request CONTAINS "javascript:")