← Back to home
ICSA-22-111-02  ·  Published 2022-04-21  ·  View on CISA ICS-CERT ↗

Johnson Controls Metasys SCT Pro

CVSS 5.3 MEDIUM

Risk Summary

Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to identify and forge requests to internal systems via a specially crafted request, allowing an attacker to determine whether specific files or paths exist.

CVEs (1)

Remediations

  • Update SCT/SCT Pro with Patch 14.2.2
  • Take proper steps to minimize risks to all building automation systems.
  • For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2022-03 v1

Affected Vendors

Johnson Controls Inc

Affected Products (2)

Johnson Controls Inc · Metasys System Configuration Tool (SCT) < 14.2.2
Johnson Controls Inc · Metasys System Configuration Tool Pro (SCT Pro) < 14.2.2

Affected Sectors

Critical Manufacturing

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more