Metasys command‑injection CVE-2025-26385 — urgent patching and ISO 27001 action needed

Metasys command‑injection (CVE-2025-26385): critical remote SQL execution risk in building control systems — patch, segment and sleep better

What happened (quick, factual recap)

Reported 1 hour ago, CVE-2025-26385 is a critical (9.5) command‑injection vulnerability in several Johnson Controls Metasys components that have SQL Express deployed. The vendor advisory describes an “Improper Neutralization of Special Elements used in a Command (Command Injection)” that, if exploited, could allow remote SQL execution against affected systems.

The advisory specifically lists affected software as: Metasys Application and Data Server (ADS) and Extended ADS (ADX) when installed with SQL Express as part of Metasys 14.1 and prior; LCS8500 or NAE8500 with SQL Express in releases 12.0 through 14.1; System Configuration Tool (SCT) with SQL Express in 17.1 and prior; and Controller Configuration Tool (CCT) with SQL Express in 17.0 and prior.

Why this matters to business leaders

Building management systems are not just thermostats and dashboards — they control heating, ventilation, access, alarms and other services that affect safety, operations and occupancy. A vulnerability that allows remote SQL execution can let an attacker read, alter or destroy data, disrupt building services, or pivot deeper into a network. That’s operational downtime, potential safety hazards, regulatory scrutiny and reputational damage all rolled into one nasty incident.

Beyond the immediate technical risk, boards and CISOs should be thinking about customer trust, supplier relationships and contractual obligations. If an attacker manipulates building controls or exfiltrates occupant or contractor data, expect questions from insurers, regulators and customers — and possibly an unwelcome audit.

How this can unfold if ignored

Left unchecked, remote SQL execution can be used to extract credentials, tamper with logs to hide activity, corrupt configuration data that disables services, or create persistence points for later attacks. Recovery can mean long outages while systems are rebuilt, forensic costs, regulatory notifications and the delightful task of explaining to tenants or clients why their heating went offline during winter.

Treating an unpatched building management server like an unimportant Windows desktop is a good way to spend a lot of money learning lessons you could have avoided.

Practical immediate steps (what to do this afternoon)

• Inventory: identify and list all Metasys ADS/ADX, LCS8500/NAE8500, SCT and CCT instances and note whether SQL Express is deployed alongside them.

• Isolate: where feasible, place affected systems behind strict network segmentation and deny direct internet access. Put them on a VLAN with tightly controlled access and monitoring.

• Apply vendor guidance: check Johnson Controls’ advisory for patches or mitigations and prioritise deployment on exposed instances.

• Monitor and hunt: increase log collection and monitoring for suspicious SQL queries, unexpected service activity and anomalous connections to the Metasys servers.

• Access control: tighten administrative access, enforce least privilege, rotate credentials used by the service and ensure multi‑factor authentication is applied where possible for admin consoles.

• Backup validation: verify that backups exist, are segregated from production systems and have been tested for restoration — don’t assume they will work when you need them.

How ISO standards help — and where Synergos links in

Organisations that treat information risk as a checkbox tend to get surprised. An ISO 27001 information security management system helps by forcing you to catalogue critical assets (yes, including BMS servers), perform risk assessments, apply appropriate controls and demonstrate management oversight. That inventory and risk treatment step is what turns a reactive sprint into an organised response.

When services are disrupted, an ISO 22301 business continuity plan ensures you can keep critical operations running — or at least failover gracefully — while you clean and rebuild vulnerable systems. If physical safety or staff risk is implicated, ISO 45001 links safety management with operational resilience so health and safety teams aren’t blindsided during a cyber incident.

For practical baseline controls, consider Cyber Essentials and IASME certifications; for staff risks such as credential reuse or insecure remote administration practices, strengthen human defences with security awareness training. If you need hands‑on help prioritising patching, segmentation and incident playbooks, look at ongoing support packages and the Synergos Training Academy to build internal capability.

Longer‑term governance and resilience actions

Beyond the emergency, embed controls that reduce the risk of similar problems: a mature vulnerability management programme tied into change control; supplier and third‑party risk assessment for vendors of operational technology; network architecture that treats OT assets as crown jewels rather than paintable toys; and regular incident response exercises that include building management scenarios.

These are precisely the kinds of practices an ISO 27001 certified organisation documents and improves iteratively — not a one‑off checklist but continual improvement that prevents small issues becoming headline disasters.

Board and executive checklist

Make sure your executive team can answer: do we know where our BMS servers are, who can access them, and when they were last patched? If the answer is anything other than a crisp, evidence‑backed “yes”, this CVE is a good prompt to act.

A final nudge (but helpful)

This vulnerability is a reminder that building management systems intersect cyber, safety and operations. Treat them as part of your information estate: find them, protect them, and have plans to recover them. A coordinated approach using ISO 27001 for information risk, ISO 22301 for continuity and targeted technical measures will make the next incident a lot less dramatic — and a lot cheaper.