A critical advisory addressing a severe SQL injection vulnerability affecting multiple Johnson Controls industrial control system products.
The vulnerability, tracked as CVE-2025-26385, carries a maximum CVSS v3 severity score of 10.0, indicating the highest level of risk to affected infrastructure.
The flaw stems from improper neutralization of special elements used in command injection, allowing remote attackers to execute arbitrary SQL commands without authentication.
Successful exploitation enables attackers to alter, delete, or exfiltrate sensitive data from affected systems.
The vulnerability impacts six Johnson Controls products used across critical infrastructure sectors worldwide. Johnson Controls products are deployed across multiple critical infrastructure sectors.
Including commercial facilities, critical manufacturing, energy generation, government operations, and transportation systems.
The company, headquartered in Ireland, maintains a global presence, making this vulnerability a widespread concern.
CISA recommends organizations implement the following defensive measures to minimize exploitation risk.
Control system networks must be isolated from internet exposure and positioned behind firewalls, separated from business network infrastructure.
Affected Products and Scope
The vulnerability affects the following Johnson Controls applications:
| Product | CVE Identifier |
|---|---|
| Application and Data Server (ADS) | CVE-2025-26385 |
| Extended Application and Data Server (ADX) | CVE-2025-26385 |
| LCS8500 | CVE-2025-26385 |
| NAE8500 | CVE-2025-26385 |
| System Configuration Tool (SCT) | CVE-2025-26385 |
| Controller Configuration Tool (CCT) | CVE-2025-26385 |
Organizations requiring remote access should deploy Virtual Private Networks (VPNs) with current security patches, recognizing that VPN security depends on the integrity of the connected devices.
Network segmentation and air-gapping represent critical protective strategies for legacy systems unable to receive immediate patches.
CISA has not documented any known public exploitation of this vulnerability as of the advisory release date of January 27, 2026.
However, the critical severity rating and widespread deployment warrant immediate attention from system administrators and security teams.
The advisory, designated ICSA-26-027-04, represents a republication of Johnson Controls’ initial security advisory JCI-PSA-2026-02.
Organizations observing suspicious activity should report findings to CISA for correlation with other reported incidents and comprehensive threat tracking.
Johnson Controls reported the vulnerability to CISA, enabling coordinated disclosure and allowing security teams adequate preparation time before potential exploitation attempts.
Organizations should prioritize impact analysis and risk assessment before deploying defensive measures to avoid operational disruption.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
