Primary

Context

Johnson Controls Metasys Products Command Injection Vulnerability Allowing Remote SQL Execution

Vulnerability

A command injection vulnerability has been identified in several Johnson Controls Metasys components, including the Application and Data Server (ADS), Extended Application and Data Server (ADX), LCS8500, NAE8500, System Configuration Tool (SCT), and Controller Configuration Tool (CCT). This vulnerability affects Metasys versions 14.1 and prior, as well as SQL Express installations deployed with these applications. Successful exploitation could allow for remote execution of SQL commands, potentially leading to unauthorized data modification or deletion.

Impact

Exploitation of this vulnerability could result in remote execution of SQL commands, allowing an attacker to alter or delete data.

Added: Jan 30, 2026, 11:22 AM

Updated: Jan 30, 2026, 11:22 AM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

3.1

exploitability

6.6

remediation

0.0

relevance

2.5

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

3.1

exploitability

6.6

remediation

0.0

relevance

2.5

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Johnson Controls Metasys Products Command Injection Vulnerability Allowing Remote SQL Execution

Vulnerability

Impact

Affected Products

Johnson Controls Metasys Application and Data Server

Johnson Controls Extended Application and Data Server

Johnson Controls System Configuration Tool

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating