Critical SQL Injection Vulnerability in Johnson Controls Products Poses Severe Risk to Global Infrastructure
A critical security vulnerability, identified as CVE-2025-26385, has been discovered in multiple Johnson Controls industrial control system products. This flaw carries a maximum Common Vulnerability Scoring System (CVSS) v3 severity score of 10.0, indicating an extreme risk level to affected infrastructures.
Nature of the Vulnerability
The vulnerability arises from improper neutralization of special elements used in SQL command injection. This deficiency allows remote attackers to execute arbitrary SQL commands without requiring authentication. Successful exploitation could enable attackers to alter, delete, or exfiltrate sensitive data from compromised systems, potentially leading to significant operational disruptions.
Affected Products and Scope
The following Johnson Controls applications are impacted by this vulnerability:
– Application and Data Server (ADS)
– Extended Application and Data Server (ADX)
– LCS8500
– NAE8500
– System Configuration Tool (SCT)
– Controller Configuration Tool (CCT)
These products are widely deployed across critical infrastructure sectors globally, including commercial facilities, critical manufacturing, energy generation, government operations, and transportation systems. Given Johnson Controls’ extensive global presence, the potential impact of this vulnerability is substantial.
Recommended Mitigation Measures
The Cybersecurity and Infrastructure Security Agency (CISA) has issued recommendations to mitigate the risk associated with this vulnerability:
1. Network Isolation: Ensure that control system networks are isolated from internet exposure. Position these networks behind firewalls and separate them from business network infrastructure to prevent unauthorized access.
2. Secure Remote Access: For organizations requiring remote access, deploy Virtual Private Networks (VPNs) with up-to-date security patches. It’s crucial to recognize that the security of VPNs depends on the integrity of the connected devices.
3. Network Segmentation and Air-Gapping: Implement network segmentation and air-gapping strategies, especially for legacy systems that cannot receive immediate patches. These measures can significantly reduce the risk of exploitation.
Current Status and Reporting
As of the advisory release date on January 27, 2026, CISA has not documented any known public exploitation of this vulnerability. However, due to its critical severity rating and the widespread deployment of the affected products, immediate attention from system administrators and security teams is warranted.
The advisory, designated ICSA-26-027-04, is a republication of Johnson Controls’ initial security advisory JCI-PSA-2026-02. Organizations observing suspicious activity are encouraged to report findings to CISA for correlation with other reported incidents and comprehensive threat tracking.
Proactive Measures and Risk Assessment
Johnson Controls reported the vulnerability to CISA, enabling coordinated disclosure and allowing security teams adequate preparation time before potential exploitation attempts. Organizations should prioritize impact analysis and risk assessment before deploying defensive measures to avoid operational disruption.
Conclusion
The discovery of CVE-2025-26385 underscores the critical importance of robust cybersecurity practices in industrial control systems. Organizations utilizing Johnson Controls products must act swiftly to implement the recommended mitigation measures to safeguard their infrastructure against potential attacks.
