ICSA-22-165-01 · Published 2022-06-14 · View on CISA ICS-CERT ↗

Johnson Controls Metasys ADS ADX OAS Servers

CVSS 8.7 HIGH

Risk Summary

Successful exploitation of these vulnerabilities could allow unauthorized users to compromise passwords and inject malicious code into web interfaces.

CVEs (3)

CVE-2022-21935 CVE-2022-21937 CVE-2022-21938

Remediations

Update Metasys ADS/ADX/OAS Version 10 with patch 10.1.5
Update Metasys ADS/ADX/OAS Versions 11 with patch 11.0.2
For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2022-10 v1

Affected Vendors

Johnson Controls Inc

Affected Products (1)

Johnson Controls Inc · All Metasys ADS/ADX/OAS 10 | 11

Affected Sectors

Critical Manufacturing

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more