CVE-2025-26385

EPSS 0.25%
Veröffentlicht 30.01.2026 11:05:16
Zuletzt bearbeitet 04.02.2026 16:34:21
Quelle productsecurity@jci.com
CVE-Watchlists
Login
Unerledigt
Login

Johnson Controls Metasys component listed below have  Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects 



  *  Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation, 
  *  Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation, 
  *  LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1, 
  *  System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior, 
  *  Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerJohnson Controls

≫

Produkt Metasys

Default Statusunaffected

Version Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation

Status affected

Version Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation

Status affected

Version LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1

Status affected

Version System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior

Status affected

Version Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.25%	0.478

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
productsecurity@jci.com	9.5	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories

https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-04

https://nvd.nist.gov/vuln/detail/CVE-2025-26385

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-26385

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-26385

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-26385