A important advisory addressing a extreme SQL injection vulnerability affecting a number of Johnson Controls industrial management system merchandise.
The vulnerability, tracked as CVE-2025-26385, carries a most CVSS v3 severity rating of 10.0, indicating the best stage of danger to affected infrastructure.
The flaw stems from improper neutralization of particular components utilized in command injection, permitting distant attackers to execute arbitrary SQL instructions with out authentication.
Profitable exploitation permits attackers to change, delete, or exfiltrate delicate information from affected techniques.
The vulnerability impacts six Johnson Controls merchandise used throughout important infrastructure sectors worldwide. Johnson Controls merchandise are deployed throughout a number of important infrastructure sectors.
Together with industrial services, important manufacturing, power era, authorities operations, and transportation techniques.
The corporate, headquartered in Eire, maintains a world presence, making this vulnerability a widespread concern.
CISA recommends organizations implement the next defensive measures to reduce exploitation danger.
Management system networks should be remoted from web publicity and positioned behind firewalls, separated from enterprise community infrastructure.
Affected Merchandise and Scope
The vulnerability impacts the next Johnson Controls functions:
ProductCVE IdentifierApplication and Information Server (ADS)CVE-2025-26385Extended Software and Information Server (ADX)CVE-2025-26385LCS8500CVE-2025-26385NAE8500CVE-2025-26385System Configuration Device (SCT)CVE-2025-26385Controller Configuration Device (CCT)CVE-2025-26385
Organizations requiring distant entry ought to deploy Digital Non-public Networks (VPNs) with present safety patches, recognizing that VPN safety is dependent upon the integrity of the related units.
Community segmentation and air-gapping characterize important protecting methods for legacy techniques unable to obtain quick patches.
CISA has not documented any recognized public exploitation of this vulnerability as of the advisory launch date of January 27, 2026.
Nevertheless, the important severity score and widespread deployment warrant quick consideration from system directors and safety groups.
The advisory, designated ICSA-26-027-04, represents a republication of Johnson Controls’ preliminary safety advisory JCI-PSA-2026-02.
Organizations observing suspicious exercise ought to report findings to CISA for correlation with different reported incidents and complete menace monitoring.
Johnson Controls reported the vulnerability to CISA, enabling coordinated disclosure and permitting safety groups ample preparation time earlier than potential exploitation makes an attempt.
Organizations ought to prioritize influence evaluation and danger evaluation earlier than deploying defensive measures to keep away from operational disruption.
Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
