The Cybersecurity and Infrastructure Security Agency (CISA) has issued a maximum severity alert regarding a security flaw affecting Johnson Controls, a global leader in smart building technology. This vulnerability, classified as CVE-2025-26385, has been assessed with a CVSS score of 10, suggesting a critical impact and potential ease of exploitation.
The flaw affects Metasys , primarily the Application and Data Server (ADS) and its associated configuration tools. If exploited maliciously, this vulnerability could allow attackers to remotely execute SQL commands, potentially gaining control of data related to the management of physical building environments.
The vulnerability is widespread across the Johnson Controls ecosystem and affects several key components of the Metasys line:
It’s not simply a data leak risk; it’s a command-and-control issue. The advisory warns that successful exploitation could lead to “alteration or loss of data,” which, in the context of building automation, could involve manipulating environmental controls, deleting historical records, or completely halting operations.
Johnson Controls and CISA urge administrators to take immediate action. The primary solution is to download and install the Metasys patch for GIV-165989 from the company’s licensing portal.
Furthermore, the advisory emphasizes the importance of network hygiene. Administrators are advised to follow the ” Metasys Release 14 Hardening Guide” to ensure that each “Metasys installation is on a segmented network and not exposed to untrusted networks such as the Internet.”
For organizations unable to apply the patch promptly, the advisory represents a concrete network defense measure. Closing inbound TCP port 1433 can protect against exploitation of this vulnerability. This port happens to be the default port for SQL Server traffic, confirming the nature of the attack vector used.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
