CVE-2025-26385
📋 TL;DR
This CVE describes a command injection vulnerability in Johnson Controls Metasys components that allows remote SQL execution. Attackers can inject malicious commands through improperly neutralized special elements. Affected systems include Metasys ADS/ADX servers, LCS8500/NAE8500 controllers, and configuration tools running SQL Express.
💻 Affected Systems
- Metasys Application and Data Server (ADS)
- Extended Application and Data Server (ADX)
- LCS8500
- NAE8500
- System Configuration Tool (SCT)
- Controller Configuration Tool (CCT)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing remote attackers to execute arbitrary SQL commands, potentially leading to data theft, system manipulation, or lateral movement within the network.
Likely Case
Unauthorized database access leading to data exfiltration, system configuration changes, or denial of service through SQL command manipulation.
If Mitigated
Limited impact if proper network segmentation, input validation, and least privilege SQL accounts are implemented.
🎯 Exploit Status
Command injection vulnerabilities typically have low exploitation complexity. The advisory suggests remote exploitation is possible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Johnson Controls advisory for specific patched versions
Vendor Advisory: https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories
Restart Required: Yes
Instructions:
1. Review Johnson Controls advisory for specific patch versions
2. Apply patches according to vendor instructions
3. Restart affected services/components
4. Verify patch application and functionality
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected systems from untrusted networks and internet exposure
Input Validation Enhancement
allImplement additional input validation and sanitization for SQL command parameters
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure to trusted IPs only
- Monitor SQL query logs for unusual patterns or injection attempts
🔍 How to Verify
Check if Vulnerable:
Check installed versions against affected version ranges and verify SQL Express deploymentCheck Version:
Check application version through Metasys/SCT/CCT administration interfacesVerify Fix Applied:
Verify patch installation through version checks and test SQL command functionality📡 Detection & Monitoring
Log Indicators:
- Unusual SQL query patterns
- Multiple failed SQL command attempts
- Unexpected database schema changes
Network Indicators:
- Unusual SQL traffic patterns to affected systems
- SQL injection payloads in network traffic
SIEM Query:
source="metasys_logs" AND (sql_command="*;*" OR sql_command="*|*" OR sql_command="*&*" OR sql_command="*`*")