Skip to main content

CVE-2025-26385

Command Injection (CWE-77)
2026-01-30 productsecurity@jci.com

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 22:00 vuln.today
CVE Published
Jan 30, 2026 - 11:15 nvd
N/A

DescriptionCVE.org

Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects

  • Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation,
  • Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation,
  • LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1,
  • System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior,
  • Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior.

AnalysisAI

LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 versions up to 14.1 is affected by command injection.

Technical ContextAI

This vulnerability (CWE-77: Command Injection) affects LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0. Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects

  • Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation,
  • Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14

Affected ProductsAI

Product: LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0. Versions: up to 14.1.

RemediationAI

Monitor vendor advisories for a patch.

Share

CVE-2025-26385 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy