CVE-2023-4486 is a high-severity vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting Johnson Controls Metasys NAE55, SNE, and SNC engines, as well as Facility Explorer F4-SNC engines. The issue arises when invalid authentication credentials are sent to the login endpoint of affected versions prior to 11.0.6 and 12.0.4. Under these circumstances, the system can be forced into a denial-of-service (DoS) state due to resource exhaustion. This vulnerability does not require any authentication or user interaction to exploit, and the attack vector is network-based (AV:N), making it remotely exploitable over the network. The vulnerability impacts availability only, with no direct confidentiality or integrity compromise. The affected products are building automation and control systems widely used for managing HVAC, lighting, and other critical infrastructure in commercial and industrial environments. The vulnerability’s CVSS v3.1 base score is 7.5, reflecting its high severity due to ease of exploitation and significant impact on system availability. No known exploits in the wild have been reported as of the publication date. Johnson Controls has released fixed versions 11.0.6 and 12.0.4 to address this issue, but no direct patch links were provided in the source information.

For European organizations, this vulnerability poses a significant risk to the availability of building management systems that are critical for operational continuity, energy management, and safety. Disruption of Metasys engines could lead to loss of control over HVAC, lighting, and other facility systems, potentially causing operational downtime, increased energy costs, and safety hazards. Critical infrastructure facilities, hospitals, data centers, and large commercial buildings relying on these systems could face operational interruptions. Given the remote exploitability and no requirement for authentication, attackers could launch DoS attacks from outside the network, potentially causing widespread service outages. This could also have cascading effects on business continuity and regulatory compliance, especially in sectors with strict uptime and safety requirements. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits following public disclosure.

European organizations should prioritize upgrading affected Johnson Controls Metasys and Facility Explorer engines to versions 11.0.6 or 12.0.4 as soon as possible. Until patches are applied, network-level mitigations should be implemented, including restricting access to the login endpoints via firewall rules or network segmentation to trusted management networks only. Monitoring and alerting for unusual authentication attempts or spikes in login failures can help detect exploitation attempts early. Organizations should also conduct thorough asset inventories to identify all affected devices and ensure they are included in patch management processes. Additionally, implementing rate limiting or intrusion prevention systems (IPS) that can detect and block excessive invalid login attempts may reduce the risk of resource exhaustion. Regular backups and incident response plans should be updated to address potential DoS scenarios affecting building management systems.