Johnsoncontrols Johnsoncontrols

  1. Vendors
  2. Johnsoncontrols

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Johnsoncontrols product.

RSS Feeds for Johnsoncontrols security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Johnsoncontrols products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Johnsoncontrols Sorted by Most Security Vulnerabilities since 2018

Johnsoncontrols Exacqvision Web Service8 vulnerabilities

Johnsoncontrols Exacqvision Server4 vulnerabilities

Johnsoncontrols Exacqvision Client1 vulnerability

Johnsoncontrols Software House C Cure 9000 Siteserver1 vulnerability

By the Year

In 2026 there have been 0 vulnerabilities in Johnsoncontrols. Johnsoncontrols did not have any published security vulnerabilities last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 0 0.00
2024 7 7.10
2023 6 6.53
2022 13 7.08
2021 7 7.51
2020 6 8.03
2019 3 8.67
2018 1 0.00

It may take a day or so for new Johnsoncontrols vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Johnsoncontrols Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2024-32758 Aug 01, 2024
exacqVision Client/Server: Weak Key Length in TLS Handshake Under certain circumstances the communication between exacqVision Client and exacqVision Server will use insufficient key length and exchange
Exacqvision Server
Exacqvision Client
CVE-2024-32862 Aug 01, 2024
ExacqVision Web Services CORS misconfiguration allows cross-origin access Under certain circumstances the ExacqVision Web Services does not provide sufficient protection from untrusted domains.
Exacqvision Web Service
CVE-2024-32865 Aug 01, 2024
exacqVision SSL Cert Validation Bypass (CVE-2024-32865) Under certain circumstances the exacqVision Server will not properly validate TLS certificates provided by connected devices.
Exacqvision Server
CVE-2024-32931 Aug 01, 2024
ExacqVision Web Service Exposes Auth Tokens in Traces Under certain circumstances the exacqVision Web Service can expose authentication token details within communications.
Exacqvision Web Service
CVE-2024-32863 Aug 01, 2024
exacqVision Web Services CSRF Vulnerability Under certain circumstances the exacqVision Web Services may be susceptible to Cross-Site Request Forgery (CSRF)
Exacqvision Web Service
CVE-2024-32864 Aug 01, 2024
exacqVision Web Services HTTPS enforcement bypass Under certain circumstances exacqVision Web Services will not enforce secure web communications (HTTPS)
Exacqvision Web Service
CVE-2024-0912 Jun 06, 2024
IIS Log Disclosure: WinCreds Exposed in CCURE 9000 Web Server Under certain circumstances the Microsoft® Internet Information Server (IIS) used to host the CCURE 9000 Web Server will log Microsoft Windows credential details within logs. There is no impact to non-web service interfaces CCURE 9000 or prior versions
Software House C Cure 9000 Siteserver
CVE-2023-3749 Aug 03, 2023
VideoEdge Local Config Edit Permits Operation Interference A local user could edit the VideoEdge configuration file and interfere with VideoEdge operation.
Videoedge
CVE-2023-2025 May 18, 2023
OpenBlue E M Data Collector <3.2.5.75: Info Disclosure to Unauth Users OpenBlue Enterprise Manager Data Collector versions prior to 3.2.5.75 may expose sensitive information to an unauthorized user under certain circumstances.
Openblue Enterprise Manager Data Collector
CVE-2023-2024 May 18, 2023
Improper Auth in OpenBlue Data Collector <3.2.5.75 (Unauthorized Access) Improper authentication in OpenBlue Enterprise Manager Data Collector versions prior to 3.2.5.75 allow access to an unauthorized user under certain circumstances.
Openblue Enterprise Manager Data Collector
CVE-2022-21939 Feb 09, 2023
Johnson Controls SCT v14/v15 Sensitive Cookie Lacking HttpOnly Flag Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.
Metasys System Configuration Tool
CVE-2022-21940 Feb 09, 2023
Johnson Controls SCT Sensitive Cookie missing Secure before 14.2.3/15.0.3 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 15.0.3 could allow access to the cookie.
Metasys System Configuration Tool
CVE-2021-36204 Jan 13, 2023
IPC in Johnson Controls Metasys <10.1.6 / <11.0.3 Exposes Credentials Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text.
Metasys Application Data Server
Metasys Extended Application Data Server
Metasys Open Application Server
And others...
CVE-2021-36206 Oct 28, 2022
CEVAS <1.01.46: Auth Bypass via SQLi All versions of CEVAS prior to 1.01.46 do not sufficiently validate user-controllable input and could allow a user to bypass authentication and retrieve data with specially crafted SQL queries.
Cevas
CVE-2022-21936 Oct 07, 2022
Metasys ADX 12.0 MVE SMP UI Password Bypass On Metasys ADX Server version 12.0 running MVE, an Active Directory user could execute validated actions without providing a valid password when using MVE SMP UI.
Metasys Extended Application Data Server
CVE-2021-36200 Jul 22, 2022
Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users. Under certain circumstances an unauthenticated user could access the the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users.
Metasys Open Application Server
Metasys Extended Application Data Server
Metasys Application Data Server
And others...
CVE-2022-21938 Jun 15, 2022
Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the MUI Graphics web interface.
Metasys Open Application Server
Metasys Application Data Server
Metasys Extended Application Data Server
And others...
CVE-2022-21935 Jun 15, 2022
A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 A vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 allows unverified password change.
Metasys Open Application Server
Metasys Application Data Server
Metasys Extended Application Data Server
And others...
CVE-2022-21937 Jun 15, 2022
Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could Under certain circumstances, a vulnerability in Metasys ADS/ADX/OAS 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS 11 versions prior to 11.0.2 could allow a user to inject malicious code into the web interface.
Metasys Open Application Server
Metasys Application Data Server
Metasys Extended Application Data Server
And others...
CVE-2022-21934 May 06, 2022
Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS server 11 versions prior to 11.0.2. Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS server 11 versions prior to 11.0.2.
Metasys Open Application Server
Metasys Extended Application Data Server
Metasys Application Data Server
And others...
CVE-2021-36207 Apr 29, 2022
Under certain circumstances improper privilege management in Metasys ADS/ADX/OAS servers versions 10 and 11 could Under certain circumstances improper privilege management in Metasys ADS/ADX/OAS servers versions 10 and 11 could allow an authenticated user to elevate their privileges to administrator.
Metasys Open Application Server
Metasys Extended Application Data Server
Metasys Application Data Server
And others...
CVE-2021-36203 Apr 22, 2022
The affected product may The affected product may allow an attacker to identify and forge requests to internal systems by way of a specially crafted request.
Metasys System Configuration Tool
CVE-2021-36205 Apr 15, 2022
Under certain circumstances the session token is not cleared on logout. Under certain circumstances the session token is not cleared on logout.
Metasys Application Data Server
Metasys Extended Application Data Server
Metasys Open Application Server
And others...
CVE-2022-26643 Apr 13, 2022
An issue in EasyIO CPT Graphics v0.8 An issue in EasyIO CPT Graphics v0.8 allows attackers to discover valid users in the application.
Easyio Cpt Graphics
CVE-2021-36202 Apr 07, 2022
Server-Side Request Forgery (SSRF) vulnerability in Johnson Controls Metasys could Server-Side Request Forgery (SSRF) vulnerability in Johnson Controls Metasys could allow an authenticated attacker to inject malicious code into the MUI PDF export feature. This issue affects: Johnson Controls Metasys All 10 versions versions prior to 10.1.5; All 11 versions versions prior to 11.0.2.
Metasys Application Data Server
Metasys Extended Application Data Server
Metasys Open Application Server
And others...
CVE-2021-36199 Jan 14, 2022
Running a vulnerability s Running a vulnerability scanner against VideoEdge NVRs can cause some functionality to stop.
Videoedge
CVE-2021-36198 Dec 06, 2021
Successful exploitation of this vulnerability could Successful exploitation of this vulnerability could allow an unauthorized user to access sensitive data.
Kantech Entrapass
CVE-2021-27664 Oct 11, 2021
Under certain configurations an unauthenticated remote user could be given access to credentials stored in the exacqVision Server. Under certain configurations an unauthenticated remote user could be given access to credentials stored in the exacqVision Server.
Exacqvision Web Service
CVE-2021-27665 Oct 11, 2021
An unauthenticated remote user could exploit a potential integer overflow condition in the exacqVision Server with a specially crafted script An unauthenticated remote user could exploit a potential integer overflow condition in the exacqVision Server with a specially crafted script and cause denial-of-service condition.
Exacqvision Server
CVE-2021-27658 Jun 24, 2021
exacqVision Enterprise Manager 20.12 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output exacqVision Enterprise Manager 20.12 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users.
Exacqvision Enterprise Manager
CVE-2021-27659 Jun 24, 2021
exacqVision Web Service 21.03 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output exacqVision Web Service 21.03 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users.
Exacqvision Web Service
CVE-2021-27657 Jun 04, 2021
Successful exploitation of this vulnerability could give an authenticated Metasys user an unintended level of access to the server file system Successful exploitation of this vulnerability could give an authenticated Metasys user an unintended level of access to the server file system, allowing them to access or modify system files by sending specifically crafted web messages to the Metasys system. This issue affects: Johnson Controls Metasys version 11.0 and prior versions.
Metasys
CVE-2021-27656 Mar 18, 2021
A vulnerability in exacqVision Web Service 20.12.2.0 and prior could A vulnerability in exacqVision Web Service 20.12.2.0 and prior could allow an unauthenticated attacker to view system-level information about the exacqVision Web Service and the operating system.
Exacqvision Web Service
CVE-2020-9049 Nov 19, 2020
A vulnerability in specified versions of American Dynamics victor Web Client and Software House CCURE Web Client could A vulnerability in specified versions of American Dynamics victor Web Client and Software House CCURE Web Client could allow an unauthenticated attacker on the network to create and sign their own JSON Web Token and use it to execute an HTTP API Method without the need for valid authentication/authorization. Under certain circumstances, this could be used by an attacker to impact system availability by conducting a Denial of Service attack.
C Cure Web
Victor Web
CVE-2020-9048 Oct 08, 2020
A vulnerability in specified versions of American Dynamics victor Web Client and Software House CCURE Web Client could A vulnerability in specified versions of American Dynamics victor Web Client and Software House CCURE Web Client could allow a remote unauthenticated attacker on the network to delete arbitrary files on the system or render the system unusable by conducting a Denial of Service attack.
Victor Web Client
CVE-2020-9047 Jun 26, 2020
A vulnerability exists A vulnerability exists that could allow the execution of unauthorized code or operating system commands on systems running exacqVision Web Service versions 20.06.3.0 and prior and exacqVision Enterprise Manager versions 20.06.4.0 and prior. An attacker with administrative privileges could potentially download and run a malicious executable that could allow OS command injection on the system.
Exacqvision Enterprise Manager
Exacqvision Web Service
CVE-2020-9045 May 21, 2020
During installation or upgrade to Software House CCURE 9000 v2.70 and Ameri During installation or upgrade to Software House CCURE 9000 v2.70 and American Dynamics victor Video Management System v5.2, the credentials of the user used to perform the installation or upgrade are logged in a file. The install log file persists after the installation.
C Cure 9000 Firmware
CVE-2019-7589 Mar 10, 2020
A vulnerability with the SmartService API Service option exists whereby an unauthorized user could potentially exploit this to upload malicious code to the server A vulnerability with the SmartService API Service option exists whereby an unauthorized user could potentially exploit this to upload malicious code to the server that could be executed at system level privileges. This affects Johnson Controls' Kantech EntraPass Corporate Edition versions 8.0 and prior; Kantech EntraPass Global Edition versions 8.0 and prior.
Entrapass
CVE-2020-9044 Mar 10, 2020
XXE vulnerability exists in the Metasys family of product Web Services XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys NAE85 and NIE85 versions 10.1 and prior; Metasys LonWorks Control Server (LCS) versions 10.1 and prior; Metasys System Configuration Tool (SCT) versions 13.2 and prior; Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1.
Metasys Application Data Server
Metasys Extended Application Data Server
Metasys Lonworks Control Server
And others...
CVE-2019-7594 Aug 20, 2019
Metasys® ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a hardcoded RC2 key for certain encryption operations involving the Site Management Portal (SMP). Metasys® ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a hardcoded RC2 key for certain encryption operations involving the Site Management Portal (SMP).
Metasys System
CVE-2019-7593 Aug 20, 2019
Metasys® ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a shared RSA key pair for certain encryption operations involving the Site Management Portal (SMP). Metasys® ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a shared RSA key pair for certain encryption operations involving the Site Management Portal (SMP).
Metasys System
CVE-2019-7590 Jul 19, 2019
ExacqVision Servers services 'exacqVisionServer', 'dvrdhcpserver' and 'mdnsresponder' have an unquoted service path ExacqVision Servers services 'exacqVisionServer', 'dvrdhcpserver' and 'mdnsresponder' have an unquoted service path. If an authenticated user is able to insert code in their system root path it potentially can be executed during the application startup. This could allow the authenticated user to elevate privileges on the system. This issue affects: Exacq Technologies, Inc. exacqVision Server 9.6; 9.8. This issue does not affect: Exacq Technologies, Inc. exacqVision Server version 9.4 and prior versions; 19.03. It is not known whether this issue affects: Exacq Technologies, Inc. exacqVision Server versions prior to 8.4.
Exacqvision Server
CVE-2018-10624 Aug 01, 2018
In Johnson Controls Metasys System Versions 8.0 and prior and BCPro (BCM) all versions prior to 3.0.2, this vulnerability results from improper error handling in HTTP-based communications with the server, which could In Johnson Controls Metasys System Versions 8.0 and prior and BCPro (BCM) all versions prior to 3.0.2, this vulnerability results from improper error handling in HTTP-based communications with the server, which could allow an attacker to obtain technical information.
Bcpro
Metasys System
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.