Critical Johnson Controls Flaws Enable Remote SQL Injection

A newly disclosed critical advisory reveals a severe SQL injection vulnerability affecting multiple industrial control system products from Johnson Controls.

The vulnerability, tracked as CVE-2025-26385, carries a maximum CVSS v3 severity score of 10.0, indicating the highest level of risk to affected infrastructure.

The flaw stems from improper neutralization of special elements used in command injection, allowing remote attackers to execute arbitrary SQL commands without authentication.

Successful exploitation enables attackers to alter, delete, or exfiltrate sensitive data from affected systems.

The vulnerability impacts six Johnson Controls products used across critical infrastructure sectors worldwide. Johnson Controls products are deployed across multiple critical infrastructure sectors.

Including commercial facilities, critical manufacturing, energy generation, government operations, and transportation systems.

The company, headquartered in Ireland, maintains a global presence, making this vulnerability a widespread concern.

CISA recommends organizations implement the following defensive measures to minimize exploitation risk.

Control system networks must be isolated from internet exposure and positioned behind firewalls, separated from business network infrastructure.

Affected Products and Scope

The vulnerability affects the following Johnson Controls applications:

Organizations requiring remote access should deploy Virtual Private Networks (VPNs) with current security patches, recognizing that VPN security depends on the integrity of the connected devices.

Network segmentation and air-gapping represent critical protective strategies for legacy systems unable to receive immediate patches.

CISA has not documented any known public exploitation of this vulnerability as of the advisory release date of January 27, 2026.

However, the critical severity rating and widespread deployment warrant immediate attention from system administrators and security teams.

The advisory, designated ICSA-26-027-04, represents a republication of Johnson Controls’ initial security advisory JCI-PSA-2026-02.

Organizations observing suspicious activity should report findings to CISA for correlation with other reported incidents and comprehensive threat tracking.

Johnson Controls reported the vulnerability to CISA, enabling coordinated disclosure and allowing security teams adequate preparation time before potential exploitation attempts.

Organizations should prioritize impact analysis and risk assessment before deploying defensive measures to avoid operational disruption.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.