Vulnerability Database

320,419

Total vulnerabilities in the database

CVE-2025-26385

Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects

Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation,
Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation,
LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1,
System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior,
Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior.

Published: Jan 30, 2026
Updated: Jan 31, 2026
CVE: CVE-2025-26385
Exploit:

No technical information available.

CWEs:

CWE-77

OWASP TOP 10:

A1 - Injection

Affected Software
References

No affected software listed.

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo