CRITICAL
Johnson Controls
CVE published 2026-01-27
CVE-2025-26385
CVE-2025-26385 is a critical Johnson Controls Metasys vulnerability that, under certain circumstances, could allow remote SQL execution. CISA’s CSAF republication covers Metasys Application and Data Server (ADS), Extended Application and Data Server (ADX), LCS8500, NAE8500, System Configuration Tool (SCT), and Controller Configuration Tool (CCT). The advisory directs defenders to apply Johnson Controls’ p [truncated]