{"id":10325,"date":"2026-02-02T10:03:44","date_gmt":"2026-02-02T10:03:44","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/02\/02\/critical-johnson-controls-products-vulnerabilities-enables-remote-sql-injection-attacks\/"},"modified":"2026-02-02T10:03:44","modified_gmt":"2026-02-02T10:03:44","slug":"critical-johnson-controls-products-vulnerabilities-enables-remote-sql-injection-attacks","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/02\/02\/critical-johnson-controls-products-vulnerabilities-enables-remote-sql-injection-attacks\/","title":{"rendered":"Critical Johnson Controls Products Vulnerabilities Enables Remote SQL Injection Attacks"},"content":{"rendered":"<p>    Critical Johnson Controls Products Vulnerabilities Enables Remote SQL Injection Attacks<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A critical advisory addressing a severe <a href=\"https:\/\/cybersecuritynews.com\/freepbx-sql-injection-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">SQL injection<\/a> vulnerability affecting multiple Johnson Controls industrial control system products.<\/p>\n<p>The vulnerability, tracked as CVE-2025-26385, carries a maximum CVSS v3 severity score of 10.0, indicating the highest level of risk to affected infrastructure.<\/p>\n<p>The flaw stems from improper <a href=\"https:\/\/cybersecuritynews.com\/ghostlocker-tool\/\" target=\"_blank\" rel=\"noreferrer noopener\">neutralization<\/a> of special elements used in command injection, allowing remote attackers to execute arbitrary SQL commands without authentication.<\/p>\n<p>Successful exploitation enables attackers to alter, delete, or exfiltrate sensitive data from affected systems.<\/p>\n<p>The vulnerability impacts six Johnson Controls products used across critical infrastructure sectors worldwide. Johnson Controls products are deployed across multiple critical infrastructure sectors.<\/p>\n<p>Including commercial facilities, critical manufacturing, energy generation, government operations, and transportation systems.<\/p>\n<p>The company, headquartered in Ireland, maintains a global presence, making this vulnerability a widespread concern.<\/p>\n<p>CISA recommends organizations implement the following defensive measures to minimize exploitation risk.<\/p>\n<p>Control system networks must be isolated from internet exposure and positioned behind <a href=\"https:\/\/cybersecuritynews.com\/fortinet-sso-vulnerability-exploited\/\" target=\"_blank\" rel=\"noreferrer noopener\">firewalls<\/a>, separated from business network infrastructure.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-affected-products-and-scope\"><strong>Affected Products and Scope<\/strong><\/h2>\n<p>The vulnerability affects the following Johnson Controls applications:<\/p>\n<figure class=\"wp-block-table is-style-stripes\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Product<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">CVE Identifier<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Application and Data Server (ADS)<\/strong><\/td>\n<td>CVE-2025-26385<\/td>\n<\/tr>\n<tr>\n<td><strong>Extended Application and Data Server (ADX)<\/strong><\/td>\n<td>CVE-2025-26385<\/td>\n<\/tr>\n<tr>\n<td><strong>LCS8500<\/strong><\/td>\n<td>CVE-2025-26385<\/td>\n<\/tr>\n<tr>\n<td><strong>NAE8500<\/strong><\/td>\n<td>CVE-2025-26385<\/td>\n<\/tr>\n<tr>\n<td><strong>System Configuration Tool (SCT)<\/strong><\/td>\n<td>CVE-2025-26385<\/td>\n<\/tr>\n<tr>\n<td><strong>Controller Configuration Tool (CCT)<\/strong><\/td>\n<td>CVE-2025-26385<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>Organizations requiring remote access should deploy <a href=\"https:\/\/cybersecuritynews.com\/virtual-private-networks-vpns-in-cybersecurity-a-comprehensive-overview\/\" target=\"_blank\" rel=\"noreferrer noopener\">Virtual Private Networks<\/a> (VPNs) with current security patches, recognizing that VPN security depends on the integrity of the connected devices.<\/p>\n<p>Network segmentation and <a href=\"https:\/\/cybersecuritynews.com\/security-checklist-for-your-storage-backups\/\" target=\"_blank\" rel=\"noreferrer noopener\">air-gapping <\/a>represent critical protective strategies for legacy systems unable to receive immediate patches.<\/p>\n<p>CISA has not documented any known public exploitation of this vulnerability as of the advisory release date of January 27, 2026.<\/p>\n<p>However, the critical severity rating and widespread deployment warrant immediate attention from system administrators and security teams.<\/p>\n<p>The advisory, designated ICSA-26-027-04, represents a republication of Johnson Controls\u2019 initial security advisory JCI-PSA-2026-02.<\/p>\n<p>Organizations observing suspicious activity should report findings to CISA for correlation with other reported incidents and comprehensive <a href=\"https:\/\/cybersecuritynews.com\/threat-hunting-tools\/\" target=\"_blank\" rel=\"noreferrer noopener\">threat tracking<\/a>.<\/p>\n<p>Johnson Controls reported the vulnerability to <a href=\"https:\/\/www.cisa.gov\/news-events\/ics-advisories\/icsa-26-027-04\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CISA<\/a>, enabling coordinated disclosure and allowing security teams adequate preparation time before potential exploitation attempts.<\/p>\n<p>Organizations should prioritize impact analysis and risk assessment before deploying defensive measures to avoid operational disruption.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/johnson-controls-products-vulnerabilities\/\">Critical Johnson Controls Products Vulnerabilities Enables Remote SQL Injection Attacks<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/johnson-controls-products-vulnerabilities\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Critical Johnson Controls Products Vulnerabilities Enables Remote SQL Injection Attacks A critical advisory addressing a severe SQL injection vulnerability affecting multiple Johnson Controls industrial control system products. The vulnerability, tracked as CVE-2025-26385, carries a maximum CVSS v3 severity score of 10.0, indicating the highest level of risk to affected infrastructure. The flaw stems from improper [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-10325","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10325"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10325"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10325\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10325"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10325"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10325"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}