CVE-2025-26385 is a command injection vulnerability classified under CWE-77 affecting Johnson Controls Metasys products that deploy SQL Express as part of their installation. The affected components include the Application and Data Server (ADS), Extended Application and Data Server (ADX), LCS8500 or NAE8500 controllers, System Configuration Tool (SCT), and Controller Configuration Tool (CCT) across versions 12.0 through 14.1 or 17.1 depending on the product. The vulnerability arises from improper neutralization of special elements in commands, allowing an attacker to inject malicious SQL commands remotely. This can lead to unauthorized SQL execution, enabling attackers to manipulate or exfiltrate data, disrupt system operations, or potentially gain further access within the network. The flaw requires no authentication or user interaction and can be exploited over the network, increasing the attack surface significantly. The CVSS 4.0 base score of 9.5 reflects its critical severity, with high impact on confidentiality, integrity, and availability, and low attack complexity. Although no public exploits are currently reported, the widespread use of Metasys in building automation systems makes this vulnerability a significant threat. The lack of available patches at the time of publication necessitates immediate mitigation through compensating controls.

For European organizations, this vulnerability poses a critical risk to building management and automation systems that rely on Johnson Controls Metasys products. Successful exploitation could lead to unauthorized access to sensitive operational data, manipulation of building controls (such as HVAC, lighting, and security systems), and potential disruption of critical infrastructure services. This could affect commercial buildings, hospitals, data centers, and industrial facilities, leading to operational downtime, safety hazards, and financial losses. The ability to execute arbitrary SQL commands remotely without authentication increases the likelihood of attacks from external threat actors, including cybercriminals and nation-state actors. Given the integration of Metasys in many smart building environments across Europe, the impact extends to privacy concerns, regulatory compliance issues (e.g., GDPR), and potential cascading effects on other connected systems.

1. Apply vendor patches immediately once available to remediate the vulnerability. 2. Until patches are released, isolate Metasys components from untrusted networks using strict network segmentation and firewall rules to limit exposure. 3. Implement robust network monitoring and intrusion detection systems to identify suspicious SQL commands or unusual traffic patterns targeting Metasys servers. 4. Restrict access to Metasys management interfaces to trusted administrators only, employing VPNs or zero-trust network access where possible. 5. Conduct regular security audits and vulnerability assessments on building automation systems to detect potential exploitation attempts. 6. Harden SQL Express configurations by disabling unnecessary features and enforcing least privilege principles on database accounts used by Metasys components. 7. Educate operational technology (OT) and IT teams on this vulnerability and establish incident response plans specific to building management system compromises. 8. Maintain up-to-date asset inventories to quickly identify affected systems and prioritize remediation efforts.