ICSA-26-027-04
·
Published 2026-01-27
·
View on CISA ICS-CERT ↗
Johnson Controls Metasys Products
CVSS 10.0
CRITICAL
Risk Summary
Successful exploitation of this vulnerability could result in remote SQL execution, leading to alteration or loss of data.
CVEs (1)
Remediations
- Johnson Controls recommends downloading and executing the Metasys patch for GIV-165989 from the License Portal. Login credentials are required.
- Johnson Controls advises following the Metasys Release 14 Hardening Guide to ensure each Metasys installation is on a segmented network and not exposed to untrusted networks such as the internet.
- Additionally, closing incoming TCP port 1433 can protect against exploitation of this vulnerability.
- For more detailed mitigation instructions, visit Johnson Controls Product Security Advisory JCI-PSA-2026-02.
Affected Vendors
Johnson Controls
Affected Products (6)
Johnson Controls
·
Metasys Application and Data Server (ADS)
<=14.1
Johnson Controls
·
Metasys Extended Application and Data Server (ADX)
14.1
Johnson Controls
·
Metasys LCS8500
>=12.0|<=14.1
Johnson Controls
·
Metasys NAE8500
>=12.0|<=14.1
Johnson Controls
·
Metasys System Configuration Tool (SCT)
<=17.1
Johnson Controls
·
Metasys Controller Configuration Tool (CCT)
<=17.0
Affected Sectors
Commercial Facilities, Critical Manufacturing, Energy, Government Services and Facilities, Transportation Systems
Get alerted to advisories like this
OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.
Start free trial Learn more