Johnson Controls Metasys Vulnerabilities

CVSS 10.0 CRITICAL

CVEs (2)

CVE-2014-5427 CVE-2014-5428

Johnson Controls has developed patches for all affected Metasys releases (4.1, 5.x, and 6.x). Metasys releases prior to Release 4.1 are not affected. Metasys products NxE25/35/45 are also not affected by these vulnerabilities.
The product patches, along with installation instructions, can be obtained from any local Johnson Controls branch office or Metasys Authorized Building Control Specialists. Johnson Controls recommends that asset owners and operators adhere to IT best practices and guidelines described in the following Metasys installation documents to further reduce the risk associated with these vulnerabilities: Network and IT Guidance for the IT Professional Technical Bulletin (LIT-1201578) available at: (http://cgproducts.johnsoncontrols.com/MET_PDF/1201578.pdf)
Network and IT Guidance for the BAS Professional Technical Bulletin (LIT-12011279) available at: (http://cgproducts.johnsoncontrols.com/MET_PDF/12011279.pdf)

Johnson Controls

Johnson Controls · Metasys >=4.1|<6.5

Johnson Controls · Application and Data Server (ADS) vers:all/*

Johnson Controls · Extended Application and Data Server (ADX) vers:all/*

Johnson Controls · LonWorks Control Server 85 (LCS8520) vers:all/*

Johnson Controls · Network Automation Engine (NAE) 55xx-x_models

Johnson Controls · Network Integration Engine (NIE) 5xxx-x_models

Johnson Controls · NxE8500 vers:all/*

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.