CVE-2025-26385 Johnson Controls CVE debrief

Who should care

Industrial control system owners and operators using Johnson Controls Metasys products, especially administrators responsible for ADS, ADX, LCS8500, NAE8500, SCT, or CCT deployments. Teams with Metasys systems reachable from less trusted networks or deployed without strong segmentation should prioritize review.

Technical summary

The advisory describes a vulnerability that can permit remote SQL execution under certain circumstances. The source corpus identifies affected Metasys products as ADS, ADX, LCS8500, NAE8500, SCT, and CCT. Johnson Controls’ mitigation guidance includes installing the Metasys patch for GIV-165989, following the Metasys Release 14 Hardening Guide, and closing incoming TCP port 1433 to reduce exposure.

Defensive priority

Urgent. This is a CVSS 10.0 critical issue in an ICS product line with vendor guidance to patch and reduce network exposure. Treat internet-facing or weakly segmented deployments as highest priority.

Recommended defensive actions

• Apply the Johnson Controls Metasys patch for GIV-165989 from the License Portal.
• Review the Metasys Release 14 Hardening Guide and confirm each installation is on a segmented network.
• Ensure Metasys systems are not exposed to untrusted networks, including the internet.
• Close incoming TCP port 1433 where operationally feasible to reduce exploitation risk.
• Verify whether any of the affected products listed in the advisory are present in your environment.
• Use the Johnson Controls Product Security Advisory JCI-PSA-2026-02 for additional mitigation details.

Evidence notes

All material facts in this debrief are drawn from the supplied CISA CSAF source item for ICSA-26-027-04 and its cited Johnson Controls mitigation guidance. The corpus states that successful exploitation could allow remote SQL execution and lists the affected Metasys products plus the vendor-recommended mitigations. No exploit steps, reproduction details, or unsupported claims are included.

Official resources