Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects
- Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation,
- Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation,
- LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1,
- System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior,
- Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior.
a. Follow the Johnson Controls hardening guide steps to ensure your Metasys installation is on a segmented network, not exposed to untrusted networks such as the internet
b. Download and execute the Metasys patch for GIV-165989 from the License Portal https://software.jci.com/licenseportal/ . Login credentials are required
c. Close incoming TCP port 1433
d. For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2026-02 at the following location: https://www.johnsoncontrols.com/cyber-solutions/security-advisories