Understanding CVE-2025-26385: A Critical SQL Injection Vulnerability in Johnson Controls Metasys (CVSS 10.0)
Jan 31, 2026
Introduction
In early 2026, a critical security vulnerability identified as CVE-2025-26385 was disclosed in Johnson Controls Metasys, a widely deployed building automation system (BAS) used in commercial and industrial environments worldwide. Rated CVSS 10.0, the highest possible severity, this flaw highlights the ongoing cybersecurity risks facing operational technology (OT) and smart building infrastructure.
This article explains what CVE-2025-26385 is, why it matters, who is affected, and what organizations should do to reduce risk.
What Is CVE-2025-26385?
CVE-2025-26385 is a remote SQL injection vulnerability affecting certain Johnson Controls Metasys components, particularly when deployed with Microsoft SQL Express. The vulnerability stems from improper input validation, allowing an attacker to send specially crafted requests that are executed as SQL commands by the backend database.
Critically, this vulnerability:
- Can be exploited remotely
- Requires no authentication
- Does not require user interaction
These factors contribute directly to its CVSS 10.0 rating.
Affected Products
The vulnerability impacts several Metasys server-side components, including but not limited to:
- Application and Data Server (ADS)
- Extended Application and Data Server (ADX)
Affected deployments are typically those running Metasys version 14.1 and earlier with SQL Express. Because Metasys is commonly used to control HVAC, access control, and other building systems, the impact goes beyond traditional IT concerns.
Why the CVSS Score Is 10.0
A CVSS base score of 10.0 (Critical) indicates maximum severity across all scoring metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Impact: High impact to confidentiality, integrity, and availability
In practical terms, exploitation could allow an attacker to:
- Execute arbitrary SQL queries
- Read or modify sensitive configuration data
- Disrupt or manipulate building automation functions
- Potentially leverage the system as a foothold for lateral movement
Is Metasys Normally Exposed to the Internet?
By design, Metasys is not intended to be internet-facing. Johnson Controls recommends deploying it on internal networks or segmented OT environments, with remote access provided through secure VPNs or jump hosts.
However, in real-world environments, exposure often occurs due to:
- Firewall or NAT misconfigurations
- Legacy remote access setups
- Contractor convenience access
- Poor IT and OT network segmentation
If a vulnerable Metasys system is exposed to the internet, CVE-2025-26385 becomes an immediate and severe risk.
Why This Matters for OT and Smart Buildings
This vulnerability underscores a broader trend. Building automation systems are increasingly attractive targets. As BAS platforms become more connected to corporate IT networks and cloud services, they inherit the same threat landscape, often without the same level of security oversight.
Exploitation of CVE-2025-26385 could impact:
- Business continuity
- Physical safety
- Energy management
- Regulatory compliance
Mitigation and Best Practices
Organizations using Johnson Controls Metasys should take the following actions immediately:
- Apply vendor patches or updates addressing CVE-2025-26385
- Ensure Metasys servers are not internet-accessible
- Segment OT and BAS networks from IT networks
- Use VPNs with MFA for remote access
- Restrict database and application permissions
- Monitor logs and network traffic for abnormal activity
Even if a system is not externally exposed, internal exploitation remains a concern, making patching essential.
Conclusion
CVE-2025-26385 is a reminder that cybersecurity risks extend well beyond traditional IT systems. With a CVSS score of 10.0, this vulnerability represents a worst-case scenario involving remote, unauthenticated exploitation of critical infrastructure software.
Organizations operating smart buildings or OT environments should treat this CVE as a priority, ensuring timely remediation and stronger network controls to prevent future exposure.