Johnson Controls Patches Critical SQL Injection Flaw in Metasys Building Automation
Take action: If you are using Johnson Controls Metasys systems, review this advisory in detail. Make sure all industrial devices are isolated from the internet and accessible from trusted networks only. Close TCP port 1433 immediately and apply the GIV-165989 patch to prevent unauthenticated database takeovers.
Learn More
CISA and Johnson Controls reports a critical vulnerability in its Metasys building automation and configuration products. The flaw allows remote attackers to execute SQL commands without authentication and impacts critical infrastructure sectors worldwide, including energy, transportation, manufacturing, and government facilities.
The flaw is tracked as CVE-2025-26385 (CVSS score 10.0) - An improper neutralization of special elements used in a command ('Command Injection') flaw that enables remote SQL execution.
The following Johnson Controls products and versions are affected:
- Application and Data Server (ADS): versions 14.1 and earlier
- Extended Application and Data Server (ADX): version 14.1
- LCS8500 and NAE8500: versions 12.0 through 14.1
- System Configuration Tool (SCT): versions 17.1 and earlier
- Controller Configuration Tool (CCT): versions 17.0 and earlier
Johnson Controls released a specific patch for this issue, tracked as GIV-165989. Administrators must log into the Johnson Controls License Portal to download and run the fix. The company also published a product security advisory (JCI-PSA-2026-02) with detailed mitigation steps for facility managers.
Immediate mitigating actions include closing incoming TCP port 1433 to block external database access. Administrators should isolate all control system devices from the public internet and place them behind firewalls on segmented networks. If remote access is required, use a secure VPN and ensure all connected devices are fully updated. Organizations should also follow the Metasys Release 14 Hardening Guide to limit exposure to untrusted networks.
