The vulnerability, tracked as CVE-2025-26385, carries a maximum CVSS v3 severity score of 10.0, indicating the highest level of risk to affected infrastructure.
The flaw stems from improper neutralization of special elements used in command injection, allowing remote attackers to execute arbitrary SQL commands without authentication.
Successful exploitation enables attackers to alter, delete, or exfiltrate sensitive data from affected systems.
The vulnerability impacts six Johnson Controls products used across critical infrastructure sectors worldwide. Johnson Controls products are deployed across multiple critical infrastructure sectors.
Including commercial facilities, critical manufacturing, energy generation, government operations, and transportation systems.
The company, headquartered in Ireland, maintains a global presence, making this vulnerability a widespread concern.
CISA recommends organizations implement the following defensive measures to minimize exploitation risk.
Control system networks must be isolated from internet exposure and positioned behind firewalls, separated from business network infrastructure.
The vulnerability affects the following Johnson Controls applications:
| Product | CVE Identifier |
|---|---|
| Application and Data Server (ADS) | CVE-2025-26385 |
| Extended Application and Data Server (ADX) | CVE-2025-26385 |
| LCS8500 | CVE-2025-26385 |
| NAE8500 | CVE-2025-26385 |
| System Configuration Tool (SCT) | CVE-2025-26385 |
| Controller Configuration Tool (CCT) | CVE-2025-26385 |
Organizations requiring remote access should deploy Virtual Private Networks (VPNs) with current security patches, recognizing that VPN security depends on the integrity of the connected devices.
Network segmentation and air-gapping represent critical protective strategies for legacy systems unable to receive immediate patches.
CISA has not documented any known public exploitation of this vulnerability as of the advisory release date of January 27, 2026.
However, the critical severity rating and widespread deployment warrant immediate attention from system administrators and security teams.
The advisory, designated ICSA-26-027-04, represents a republication of Johnson Controls’ initial security advisory JCI-PSA-2026-02.
Organizations observing suspicious activity should report findings to CISA for correlation with other reported incidents and comprehensive threat tracking.
Johnson Controls reported the vulnerability to CISA, enabling coordinated disclosure and allowing security teams adequate preparation time before potential exploitation attempts.
Organizations should prioritize impact analysis and risk assessment before deploying defensive measures to avoid operational disruption.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Critical Johnson Controls Products Vulnerabilities Enables Remote SQL Injection Attacks appeared first on Cyber Security News.
A series of intrusions in early 2026 in which threat actors compromised FortiGate Next-Generation Firewalls…
Amy Guimond, who grew up in Henniker, moved back to town a few years ago…
Town officials in Pembroke have learned from past mistakes. This year, when the wireless microphone…
A long-vacant house on Airport Road sustained major damage in a fire early Saturday morning.…
Amy Bogart has had enough of the state failing to adequately fund education programs, such…
By the time Kelly Bokhan came to Loudon’s town meeting, she felt her wallet was…
This website uses cookies.