CVE-2025-26385
Published: Jan 30, 2026
Modified: Jan 30, 2026
Description
Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects * Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation, * Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation, * LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1, * System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior, * Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior.
| Vendor | Product | Versions |
|---|---|---|
Johnson Controls | Metasys | affected Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installationaffected Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installationaffected LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1affected System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prioraffected Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior |
Weaknesses (CWE)
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now