A serious security warning has been issued for several Johnson Controls industrial control products due to a critical SQL injection flaw. The issue allows attackers to remotely manipulate databases in affected systems, potentially leading to major disruption in environments that rely on these platforms.
The vulnerability is rated at the highest severity level, meaning it poses a significant risk if left unaddressed. Because the flaw does not require authentication, attackers could exploit it from a remote location to change data, delete information, or extract sensitive records.
This makes it especially dangerous for systems connected to operational or infrastructure environments.
Johnson Controls technologies are widely used in sectors such as manufacturing, energy, transportation, government facilities, and commercial buildings. That broad deployment increases the impact and urgency of this issue.
Affected Products
The vulnerability impacts several Johnson Controls platforms, including:
| Product name | CVE ID |
|---|---|
| Application and Data Server (ADS) | CVE-2025-26385 |
| Extended Application and Data Server (ADX) | CVE-2025-26385 |
| LCS8500 | CVE-2025-26385 |
| NAE8500 | CVE-2025-26385 |
| System Configuration Tool (SCT) | CVE-2025-26385 |
| Controller Configuration Tool (CCT) | CVE-2025-26385 |
Why This Matters for Critical Systems
Industrial systems often operate behind the scenes, but they control essential processes. A database compromise in these environments could interrupt services, affect safety, or expose confidential operational data. Even if there is no public evidence of active attacks yet, the risk level means organizations should act quickly rather than wait for incidents to occur.
To reduce exposure, organizations should:
• Isolate control networks from the public internet
• Use firewalls and strong network segmentation between IT and OT systems
• Secure remote access with properly maintained VPN solutions
• Monitor for unusual database or application activity
• Review legacy systems that may not support immediate patching
Security teams are encouraged to evaluate their exposure, apply vendor updates where possible, and strengthen network protections around these systems. Acting early can prevent operational impact and protect critical infrastructure from avoidable risk.
Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!
Leave A Comment