Johnson Controls keeps your building management systems, IT infrastructures, and connected equipment secure with a firm commitment to technological innovation and continual product development.
This includes creating product security advisories as an essential part of our rapid response protocol for cybersecurity incidents. You can learn about problems we identified — as well as the actions we took to mitigate risk — right here.
2022 Product Security Advisories
Title/Security Advisory ID | Affected Product | Overview | Mitigation | Initial Publication Date | Last updated |
---|---|---|---|---|---|
CKS CEVAS JCI-PSA-2022-15 |
CEVAS | Vulnerability impacting CEVAS all versions prior to 1.01.46 | See link for general guidance | October 25, 2022 | October 25, 2022 |
Software House C•CURE 9000 JCI-PSA-2022-12 |
C•CURE 9000 | Vulnerability impacting Software House C•CURE 9000 Portal | See link for general guidance | October 11, 2022 | October 11, 2022 |
Metasys JCI-PSA-2022-11 |
Metasys | Vulnerability impacting Metasys ADX Server version 12.0 | See link for general guidance | October 04, 2022 | October 04, 2022 |
iSTAR Ultra JCI-PSA-2022-13 |
iSTAR Ultra | Vulnerability impacting iSTAR Ultra firmware versions prior to 6.8.9.CU01 | See link for general guidance | August 30, 2022 | August 30, 2022 |
Metasys |
Metasys | Vulnerability impacting Metasys ADS/ADX/OAS with MUI | See link for general guidance | July 21, 2022 | July 21, 2022 |
Metasys JCI-PSA-2022-10 |
Metasys | Vulnerabilities impacting Metasys ADS/ADX/OAS Servers | See link for general guidance | June 14, 2022 | June 14, 2022 |
Spring4Shell JCI-PSA-2022-14 v3 |
General | General Guidance | See link for general guidance | April 19, 2022 | May 20, 2022 |
Metasys JCI-PSA-2022-09 |
Metasys | Vulnerability impacting Metasys ADS/ADX/OAS Servers versions 10 and 11 | See link for general guidance | May 5, 2022 | May 5, 2022 |
Metasys ADS/ADX/OAS JCI-PSA-2022-08 |
Metasys | Vulnerability impacting Metasys ADS/ADX/OAS Servers versions 10 and 11 | See link for general guidance | April 28, 2022 | April 28, 2022 |
Log4Shell JCI-PSA-2021-23 v24 |
General | General guidance | See link for general guidance | December 14, 2021 | April 21, 2022 |
Metasys System Configuration Tool (SCT) and System Configuration Tool Pro (SCT Pro) JCI-PSA-2022-03 |
Metasys | Vulnerability impacting Metasys System Configuration Tool (SCT) and System Configuration Tool Pro (SCT Pro) all versions prior to 14.2.2 | See link for general guidance | April 21, 2022 | April 21, 2022 |
Metasys ADS/ADX/OAS Servers JCI-PSA-2022-06 |
Metasys | Vulnerability impacting Metasys ADS/ADX/OAS Servers versions 10 and 11 | See link for general guidance | April 14, 2022 | April 14, 2022 |
Metasys ADS/ADX/OAS Servers JCI-PSA-2022-02 |
Metasys | Vulnerability impacting Metasys ADS/ADX/OAS versions 10 and 11 | See link for general guidance | March 17, 2022 | March 17, 2022 |
DSC PowerManage JCI-PSA-2022-01 v2 |
DSC | Vulnerability impacting DSC PowerManage versions 4.0 to 4.8 | See link for general guidance | February 3, 2022 | March 7, 2022 |
2021 Product Security Advisories
Title/Security Advisory ID | Affected Product | Overview | Mitigation | Initial Publication Date | Last updated |
---|---|---|---|---|---|
Log4Shell JCI-PSA-2021-23 v9 |
General | General guidance | See link for general guidance | December 14, 2021 | December 22, 2021 |
American Dynamics VideoEdge JCI-PSA-2021-21 |
American Dynamics VideoEdge | Vulnerability impacting VideoEdge versions 5.4.1 to 5.7.1 | See link for mitigation options | December 22, 2021 | December 22, 2021 |
exacqVision Enterprise Manager JCI-PSA-2021-24 |
exacqVision Enterprise Manager | Vulnerability impacting all versions of exacqVision Enterprise Manager up to and including version 21.12 | See link for mitigation options | December 20, 2021 | December 20, 2021 |
Kantech Entrapass JCI-PSA-2021-22 |
Kantech Entrapass | Vulnerability impacting Entrapass all versions prior to 8.40 | See link for mitigation options | December 2, 2021 | December 2, 2021 |
CEM Systems AC2000 JCI-PSA-2021-20 |
CEM Systems AC2000 | Vulnerability impacting AC2000 all versions prior to 10.6 | See link for mitigation options | November 30, 2021 | November 30, 2021 |
American Dynamics VideoEdge |
American Dynamics VideoEdge | Vulnerability impacting VideoEdge versions prior to 5.7.1 | See link for mitigation options | November 2, 2021 | November 2, 2021 |
American Dynamics victor Video Management System JCI-PSA-2021-19 |
American Dynamics victor Video Management System | Vulnerability impacting victor Video Management System version 5.7 and prior | See link for mitigation options | October 28, 2021 | October 28, 2021 |
exacqVision Server JCI-PSA-2021-18 |
exacqVision Server | Vulnerability impacting exacqVision Server 32-bit version 21.06.11.0 or older | See link for mitigation options | October 7, 2021 | October 7, 2021 |
exacqVision Web Service JCI-PSA-2021-16 |
exacqVision Web Service | Vulnerability impacting exacqVision Web Service version 21.06.11.0 or older | See link for mitigation options | October 7, 2021 | October 7, 2021 |
Kantech KT-1 Door Controller JCI-PSA-2021-14 |
Kantech KT-1 Door Controller | Vulnerability impacting all version Kantech KT-1 Controller including 3.01 | See link for mitigation options | September 10, 2021 | September 10, 2021 |
Tyco Illustra JCI-PSA-2021-13 |
Tyco Illustra | Vulnerability impacting specific versions Tyco Illustra | See link for mitigation options | August 31, 2021 | August 31, 2021 |
CEM Systems AC2000 JCI-PSA-2021-15 |
CEM Systems AC2000 | Vulnerability impacting specific versions CEM Systems AC2000 | See link for mitigation options | August 26, 2021 | August 26, 2021 |
Kantech |
Kantech |
Vulnerability impacting all versions Kantech KT-1 Door Controller including 2.09.02 and earlier | See link for mitigation options | August 19, 2021 | August 19, 2021 |
Software House C•CURE 9000 JCI-PSA-2021-10 v2 |
Software House C•CURE 9000 | Vulnerability impacting all versions of Software House C•CURE 9000 prior to version 2.80 | See link for mitigation options | July 01, 2021 | August 12, 2021 |
Facility Explorer JCI-PSA-2021-11 |
Facility Explorer | Vulnerability impacting Facility Explorer SNC Series Supervisory Controllers (F4-SNC) | See link for mitigation options | July 01, 2021 | July 01, 2021 |
Software House C•CURE 9000 JCI-PSA-2021-10 |
Software House C•CURE 9000 | Vulnerability impacting all versions of Software House C•CURE 9000 prior to version 2.80 | See link for mitigation options | July 01, 2021 | July 01, 2021 |
exacqVision Web Service JCI-PSA-2021-09 |
exacqVision Web Service | Vulnerability impacting all versions of exacqVision Web Service including 21.03 | See link for mitigation options | June 24, 2021 | June 24, 2021 |
exacqVision Enterprise Manager |
exacqVision Enterprise Manager | Vulnerability impacting all versions of exacqVision Enterprise Manager including 20.12 | See link for mitigation options | June 24, 2021 | June 24, 2021 |
Metasys Servers, Engines, and SCT Tools Web Services JCI-PSA-2021-05 |
Metasys Servers, Engines, and SCT Tools Web Services | Vulnerability impacting web services for Metasys Servers, Engines, and SCT Tools | See link for mitigation options. | June 04, 2021 | June 04, 2021 |
American Dynamics VideoEdge |
American Dynamics VideoEdge |
Vulnerability impacting all versions of VideoEdge prior to 5.7.0 | See link for mitigation options. | May 27, 2021 | May 27, 2021 |
American Dynamics Tyco AI |
American Dynamics Tyco AI | Vulnerability impacting all versions of Tyco AI up to and including v1.2 | See link for mitigation options. | May 13, 2021 | May 13, 2021 |
exacqVision Network Video Recorder |
exacqVision Network Video Recorder | Vulnerability impacting specific versions of the exacqVision Network Video Recorder | See link for mitigation options. | April 29, 2021 | April 29, 2021 |
exacqVision Web Service JCI-PSA-2021-03 |
exacqVision Web Service | Vulnerability impacting all versions of exacqVision Web Service | See link for mitigation options. | March 18, 2021 | March 18, 2021 |
Metasys Report Engine (MRE) Web Services |
Metasys Report Engine (MRE) Web Services | Vulnerability impacting specific versions of Metasys Report Engine (MRE) Web Services | See link for mitigation options. | February 18, 2021 | February 18, 2021 |
Sur-Gard |
Sur-Gard System 5 receivers | Vulnerability impacting Sur-Gard System 5 receivers | See link for mitigation options. | January 26, 2021 | January 26, 2021 |
AD victor Web Client and SWH C•CURE Web Client |
American Dynamics victor Web Client and Software House C•CURE Web Client |
Vulnerability impacting specific versions of American Dynamics victor Web Client and Software House C•CURE Web Client |
See link for mitigation options. |
October 08, 2020 |
January 05, 2021 |
2020 Product Security Advisories
Title/Security Advisory ID | Affected Product | Overview | Mitigation | Initial Publication Date | Last updated |
---|---|---|---|---|---|
AD victor Web Client and SWH C•CURE Web Client |
American Dynamics victor Web Client and Software House C•CURE Web Client | Vulnerability impacting specific versions of American Dynamics victor Web Client and Software House C•CURE Web Client | See link for mitigation options. | November 19, 2020 | November 24, 2020 |
victor Web Client JCI-PSA-2020-09 |
victor Web Client | Vulnerability impacting versions of victor Web Client | Upgrade all versions of victor Web Client to v5.6. | October 8, 2020 | October 8, 2020 |
Sur-Gard JCI-PSA-2020-08 |
Sur-Gard System 5 receivers | Vulnerability impacting Sur-Gard System 5 receivers | See link for mitigation options. | August 20,2020 | August 20, 2020 |
exacqVision JCI-PSA-2020-07 v2 |
exacqVision Web Service and exacqVision Enterprise Manager | Vulnerability impacting exacqVision Web Service and exacqVision Enterprise Manager | All users should upgrade exacqVision Web Service to version 20.06.4 or higher and exacqVision Enterprise Manager to version 20.06.5 or higher. | June 18, 2020 | July 2, 2020 |
C•CURE 9000/victor JCI-PSA-2020-4 v4 |
Software House C•CURE 9000 and American Dynamics victor Video Management System | Vulnerability impacting Software House C•CURE 9000 and American Dynamics victor Video Management System software installer. | See link for mitigation options. | May 21, 2020 | June 2, 2020 |
Kantech EntraPass |
All versions of Kantech EntraPass editions up to and including v8.22 |
Vulnerability impacting system permissions for all versions of Tyco Kantech EntraPass Security Management Software Editions. | All users should upgrade Kantech EntraPass Editions to version 8.23. | May 26, 2020 | May 26,2020 |
BCPro JCI-PSA-2020-5 v1 |
BCPro | Vulnerability impacting the BCPro and BCT software. | A patch has been developed to address this issue. | April 23, 2020 | April 23, 2020 |
Metasys XXE JCI-PSA-2020-3 v1 |
Metasys Server | Vulnerability impacting the Metasys Server software products and some network engines. | A patch has been developed to address this issue. | March 10, 2020 | March 10, 2020 |
SmartService API JCI-PSA-2020-2 v1 |
Kantech EntraPass | Vulnerability impacting the SmartService API Service option in some editions of Kantech EntraPass. | Upgrade impacted Kantech EntraPass Global and Corporate edition software to version 8.10. | March 10, 2020 | March 10, 2020 |
ElasticSearch Kibana JCI-PSA-2020-1 v1 |
Metasys Server 10.0 using Kibana version 6.2.3 | Vulnerabilities impacting ElasticSearch/Kibana visualizer component. | Remove the Windows component called Kibana-6.2.3 from computers running Metasys Server (Release 10.0). | January 31, 2020 | January 31, 2020 |
2019 Product Security Advisories
Title/Security Advisory ID | Affected Product | Overview | Mitigation | Initial Publication Date | Last updated |
---|---|---|---|---|---|
Flexera FlexNet Publisher - JCI-PSA-2019-12 v1 |
Software House C•CURE v2.70 and earlier running FlexNet Publisher version 11.16.1.0 and earlier | Vulnerabilities impacting the Flexera FlexNet Publisher licensing manager |
Install C•CURE 9000 v2.70 Service Pack 3 Critical Update 05 (Unified 3.70 SP3 CU05) or upgrade to C•CURE 9000 v2.80 | December 3, 2019 | December 3, 2019 |
PC Annunciator - JCI-PSA-2019-11 v1 |
TrueAlarm Fire Alarm System, 4190 PC Annunciator |
Remote Desktop Services Remote Code Execution Vulnerability (a.k.a. “BlueKeep”) | Apply all applicable Microsoft security updates | November 21, 2019 | November 21, 2019 |
Facility Explorer - JCI-PSA-2019-10 v1 |
Facility Explorer- FX 14.7.2, FX 14.4, FX 6.5 |
Vulnerabilities exist in the QNX operating system used in Facility Explorer |
Apply available QNX patch or update | October 30, 2019 | October 30, 2019 |
Metasys ICS-CERT Advisory ICSA-19-227-01 JCI-PSA-2019-06 v1 CVE-2019-7593 CVE-2019-7594 |
Metasys® ADS/ADX servers and NAE/NIE/NCE engines impacting versions prior to 9.0. | An attacker with access to the shared RSA key pair or a hardcoded RC2 key could potentially decrypt captured network traffic between the Metasys® ADS/ADX servers or NAE/NIE/NCE engines and the connecting Site Management Portal (SMP) user client | These issues were addressed in version 9.0 of these Metasys® components. We recommend upgrading all Metasys® ADS/ADX servers and NAE/NIE/NCE engines to at least version 9.0 to assure all enhancements in this latest release are active. Sites should also be configured with trusted certificates | August 15, 2019 |
August 15, 2019 |
Bluetooth “KNOB” attack or BR/EDR Key Negotiation Vulnerability CVE-2019-9506 |
Security advisories for affected products will be appended to this web page as they are made available. The PSA IDs for each product specific advisory has common root followed by “.x” where x is the instance number (JCI-PSA-2019-08.x). |
A researcher has identified a vulnerability that affects Bluetooth devices that employ Bluetooth BR/EDR Bluetooth Core specification versions 1.0 through 5.1 | Refer to respective Product Security Advisories (when released) | August 13, 2019 | August 13, 2019 |
JCI-PSA-2019-03
Please visit the ICS-CERT advisory linked below for complete information and additional resources. |
exacqVision Server 9.6 and 9.8 application running on Windows operating system (all supported versions of Windows). | On March 28, 2019, Tyco security solutions published a product security advisory for exacqVision Server Application | Please reference the linked Johnson Controls advisory below to find mitigation steps: Click Here | March 28, 2019 | July 18, 2019 |
TrueInsight Module Vulnerability JCI-PSA-2019-05 |
TrueInsight modules used to connect the Simplex® 4007ES, 4010ES, 4100ES, and 4100U Fire Alarm Control Panels |
This vulnerability impacts all TrueInsight modules. If properly exploited, this vulnerability could result in unauthorized access to the fire system. Unfortunately, there is no patch available to fix the vulnerability |
Please reference the linked Johnson Controls advisory below to find mitigation steps: Click Here |
July 8, 2019 |
July 8, 2019 |
Microsoft® Remote Desktop Services Remote Code Execution Vulnerability (a.k.a. “BlueKeep”) |
Microsoft® Remote Desktop Services Remote Code Execution Vulnerability (a.k.a. “BlueKeep”). Vulnerable in-support systems include Windows 7 operating system, Windows Server® 2008 R2, and Windows Server 2008 systems. Out-of-support but affected operating systems include Windows Server 2003 and Windows XP® operating systems |
Microsoft discovered a vulnerability in its Remote Desktop service that is included in most versions of a wide variety of its operating systems. Although this vulnerability is not associated with any specific Johnson Controls application, it does impact the computer environments that can host those applications |
Microsoft has released a product update that patches this security issue. Please reference the linked advisory below to find mitigation steps: Click Here |
May 22, 2019 |
May 22, 2019 |
ICS-CERT Advisory ICSA-19-163-01
Please visit the ICS-CERT advisory linked above for complete information and additional resources. |
ExacqVision (ESM) v5.12.2 and all prior versions of ESM running on a Windows operating system. This issue does not impact Linux deployments with permissions that are not inherited from the root directory |
On February 15, 2019, Tyco security solutions published a product security advisory for ExacqVision Enterprise System Manager (ESM) |
Please reference the linked Tyco advisory below to find mitigation steps: Click Here |
February 15, 2019 |
March 28, 2019 |
2018 Product Security Advisories
Title/Security Advisory ID | Affected Product | Overview | Mitigation | Initial Publication Date | Last updated |
---|---|---|---|---|---|
CPP-PSA-20180-02 v1
Facility Explorer™ Path Traversal and Improper Authentication Vulnerabilities ICS CERT Notice ICSA-19-022-01 CVE-2017-16744 CVE-2017-16748 Please visit the ICS CERT notice linked above for complete information and additional resources.
|
Facility Explorer 6.x (Niagara AX Framework™) systems, prior to 6.6 Facility Explorer 14.x (Niagara 4) systems, prior to 14.4u1 |
Facility Explorer Software Release 6.6 and 14.4u1 includes several fixes and important vulnerability mitigations for cybersecurity protection. |
Customers should upgrade to the latest available product versions.
Johnson Controls recommends taking steps to minimize risks to all building automation systems. The Department of Homeland Security’s ICS-CERT also provides a section for Control Systems Security Recommended Practices. |
January 11, 2018 |
September 4, 2018 |
ICSA-14-350-02
Metasys® Building Automation System (BAS) Information Disclosure Vulnerability ICS Cert Notice ICSA-18-212-02 |
Metasys system versions 8.0 and prior. |
A previous version of the Metasys BAS could potentially reveal technical information when an authentication error occurs in the BAS server. |
Customers should upgrade to the latest product versions. Contact your Johnson Controls Sales or Service representative for details.
|
March 17, 2015 |
August 27, 2018 |
Pub # GPS-PSA-2018-02 "Meltdown" and "Spectre" Vulnerabilities CERT Vulnerability Note VU#584653 |
Johnson Controls Product Security Incident Response Team (PSIRT) is assessing potential impact to Johnson Controls products. Find Updates Here. |
Researchers recently disclosed new security vulnerabilities that impact aspects of many modern processors and that could be exploited to allow an attacker to obtain access to sensitive data. These vulnerabilities allow for side-channel attacks to read data from memory. These vulnerabilities can affect personal computers, mobile devices, and the cloud. | Although there are currently no known workarounds, below are some suggested actions that customers can take in the short term to reduce their risks:
Check this site regularly for updated information. As always, prior to deploying software patches or updates, test such patches or updates on non-production systems and follow all vendor instructions and warnings to ensure such patches or updates do not impair system functionality. Although not specific to this vulnerability, always implement proper building system and corporate network segmentation and boundary security and access controls.
|
January 10, 2018 |
January 26, 2018 |
2017 Product Security Advisories
Title/Security Advisory ID | Affected Product | Overview | Mitigation | Initial Publication Date | Last updated |
---|---|---|---|---|---|
“KRACK” Wi-Fi Vulnerability Attacks: CERT Vulnerability Note VU#228519 |
Johnson Controls Product Security Incident Response Team (PSIRT) is assessing potential impact to Johnson Controls products. Update to follow. |
A significant weakness in a commonly used Wi-Fi security protocol was announced recently which could put the confidentiality of data transferred through wireless at risk. The attack, dubbed “KRACK” affects a newly discovered weakness in the WPA2 protocol which is commonly to secure Wi-Fi networks. |
An attacker within range of a victim can potentially exploit these weaknesses to access some types of information transmitted between wireless clients and wireless network access points, thereby reducing the confidentiality and integrity of the data being transmitted. |
October 16, 2017 |
November 16, 2017 |
US CERT Alert TA17-132A017-0143 |
All Metasys® software releases running on affected OS’, All NxE55 series, all NxE85 series and LCS8520 |
IT systems worldwide have been affected by a prolific Ransomware attack which leverages a Microsoft SMB protocol vulnerability which may affect some Metasys system components. |
Apply Microsoft patch for MS17-010 for host operating systems. Contact your JCI Field Representative for remediation details for specific Metasys products. |
May 12, 2017 |
June 7, 2018 |
2015 Product Security Advisories
Title/Security Advisory ID | Affected Product | Overview | Mitigation | Initial Publication Date | Last updated |
---|---|---|---|---|---|
ICSA-14-350-02 |
Metasys® releases 4.1 to 6.5: ADS, ADX, LCS8520, NAE, NIE, NxE8500 |
Independent security researcher Billy Rios identified two vulnerabilities in Johnson Controls Metasys® building automation system. |
Johnson Controls has produced patches for each affected release that mitigate these vulnerabilities. Contact your Johnson Controls representative for more information. |
March 17, 2015 |
August 27, 2018 |
US CERT Alert TA17-132A017-0143 |
All Metasys® software releases running on affected OS’, All NxE55 series, all NxE85 series and LCS8520 |
IT systems worldwide have been affected by a prolific Ransomware attack which leverages a Microsoft SMB protocol vulnerability which may affect some Metasys system components. |
Apply Microsoft patch for MS17-010 for host operating systems. Contact your JCI Field Representative for remediation details for specific Metasys products |
May 12, 2017 |
June 7, 2018 |
2014 Product Security Advisories
Title/Security Advisory ID | Affected Product | Overview | Mitigation | Initial Publication Date | Last updated |
---|---|---|---|---|---|
CVE-2014-0160"Heartbleed" |
None |
A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data. |
No mitigation required |
August 8, 2014 |
August 25, 2015 |
CVE-2014-6271"Shellshock" |
None |
A flaw in the GNU Bourne-Again Shell (Bash) could allow an attacker to remotely execute shell commands. |
No mitigation required |
September 25, 2014 |
August 25, 2015 |
CVE-2014-3566 |
Metasys® Release 6.5, 7.0, 8.0: Application and Data Server (ADS), Extended Application and Data Server (ADX), ADS-Lite, Open Data Server (ODS), Metasys® Advanced Reporting System, Metasys® Export Utility, Ready Access Portal, and Metasys® User Interface (UI) Release 1.5, 1.5.1, and 2.0 |
Commonly referred to as Padding Oracle on Downgraded Legacy Encryption (POODLE), this vulnerability may allow an attacker to decrypt cipher |
This does not involve any patches or updates to our products, simply a reminder to address this at the Microsoft operating system level. Disable SSLv3 on the server and standalone computers hosting the affected Metasys software |
October 17, 2014 |
September 30,2016 |
For everything from asking a question to raising an alarm, please use this form for a quick response from our Johnson Controls cybersecurity organization.
If you are aware of a potential security vulnerability in a Johnson Controls product, service or solution, or have a product security question, please contact us at productsecurity@jci.com.
Please use a downloadable PGP key to secure communications.
When submitting a concern, please include the following information:
Thanks to all who partner with us to create a smarter, safer, more sustainable world.