Cyber Resilience

CVE-2025-26385

CriticalRCE

Published: 30 January 2026

Published
30 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.5 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0144 69.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-26385 is a critical-severity Command Injection (CWE-77) vulnerability in Cisa (inferred from references). Its CVSS base score is 9.5 (Critical).

Operationally, ranked in the top 30.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects * Metasys: Application and Data Server (ADS)…

more

installed with SQL Express deployed as part of the Metasys 14.1 and prior installation, * Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation, * LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1, * System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior, * Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior.

CWE(s)

Related Threats

CVEs Like This One

CVE-2026-22864Shared CWE-77
CVE-2024-57590Shared CWE-77
CVE-2026-21638Shared CWE-77
CVE-2025-64090Shared CWE-77
CVE-2025-55125Shared CWE-77
CVE-2024-57036Shared CWE-77
CVE-2026-26791Shared CWE-77
CVE-2025-60854Shared CWE-77
CVE-2024-57211Shared CWE-77
CVE-2024-52325Shared CWE-77

Affected Assets

Cisa
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References