THE article reports a maximum-severity vulnerability in Johnson Controls’ Metasys building automation system, tracked as CVE-2025-26385, with a CVSS score of 10. According to the Cybersecurity and Infrastructure Security Agency (CISA), the flaw could allow remote SQL execution impacting the Application and Data Server and related configuration tools. If exploited, attackers could alter or lose data and potentially manipulate environmental controls or disrupt operations.
Johnson Controls and CISA urge immediate action, with a fix available as the Metasys patch for GIV-165989 from the company’s License Portal; for those unable to patch right away, network guidance recommends closing incoming TCP port 1433. The advisory also stresses network hygiene, advising that every Metasys installation be on a segmented network and not exposed to untrusted networks such as the internet, in line with the Metasys Release 14 Hardening Guide.
The article notes the vulnerability is widespread across several Metasys components, including ADS, Extended ADX, LCS8500, NAE8500, SCT and CCT versions listed in the risk scope.