CVE-2025-26381
📋 TL;DR
This vulnerability (CWE-425: Direct Request) allows attackers to bypass intended access controls and retrieve sensitive information by directly accessing resources. It affects Johnson Controls Metasys products used in building automation systems. Organizations using these systems for critical infrastructure are particularly at risk.
💻 Affected Systems
- Johnson Controls Metasys ADS/ADX Servers
- Johnson Controls Metasys Extended Application (MxE)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full access to building control systems, potentially manipulating HVAC, security, or fire safety systems in critical infrastructure.
Likely Case
Unauthorized access to sensitive configuration data, user credentials, or system logs from building automation networks.
If Mitigated
Limited exposure due to network segmentation and proper access controls preventing external access to affected systems.
🎯 Exploit Status
Direct request vulnerabilities typically require minimal technical skill to exploit once the target is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Johnson Controls PSA-2025-05 for specific version updates
Vendor Advisory: https://tyco.widen.net/view/pdf/xmejieec4b/JCI-PSA-2025-05.pdf
Restart Required: Yes
Instructions:
1. Review Johnson Controls PSA-2025-05 advisory. 2. Apply vendor-provided patches for affected Metasys components. 3. Restart affected services/systems. 4. Verify patch application through version checks.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Metasys systems from untrusted networks and implement strict firewall rules.
Access Control Lists
allImplement IP-based restrictions to limit access to Metasys web interfaces.
🧯 If You Can't Patch
- Segment affected systems on isolated VLANs with no internet access
- Implement strict network monitoring and alerting for unusual access patterns to Metasys interfaces
🔍 How to Verify
Check if Vulnerable:
Check system version against affected versions listed in Johnson Controls PSA-2025-05. Test web interface access controls.Check Version:
Check Metasys application version through administrative interface or system documentationVerify Fix Applied:
Verify installed version matches patched versions in advisory. Test that direct requests to sensitive resources now require proper authentication.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to Metasys web resources
- Direct requests to sensitive URLs without authentication
Network Indicators:
- Unusual HTTP requests to Metasys web interfaces from unexpected sources
- Traffic patterns suggesting enumeration of web resources
SIEM Query:
source="metasys_logs" AND (url_path CONTAINS "/sensitive/" OR status_code=200 AND user_agent="unknown")