EUVD-2022-27091

🗓️ 03 Oct 2025 20:07:09Reported by EUVDType

Vulnerability in Metasys ADS/ADX/OAS versions allows unverified password changes before updates.

Reporter	Title	Published	Views	Family All 9
ATTACKERKB	CVE-2022-21935	14 Jun 202219:41	–	attackerkb
BDU FSTEC	The vulnerability of the Metasys Application and Data Server (ADS), Metasys Extended Application and Data Server (ADX), and Metasys Open Application Server (OAS) lies in the lack of necessary checks during password deletion, allowing attackers to execute arbitrary code.	6 Jul 202200:00	–	bdu_fstec
CNNVD	Johnson Controls Metasys ADS/ADX/OAS Servers 授权问题漏洞	14 Jun 202200:00	–	cnnvd
CVE	CVE-2022-21935	15 Jun 202219:57	–	cve
Cvelist	CVE-2022-21935 Metasys password guessing	15 Jun 202219:57	–	cvelist
ICS	Johnson Controls Metasys ADS ADX OAS Servers	14 Jun 202200:00	–	ics
NVD	CVE-2022-21935	15 Jun 202220:15	–	nvd
OSV	CVE-2022-21935	15 Jun 202220:15	–	osv
Prion	Default credentials	15 Jun 202220:15	–	prion

[
  {
    "enisaIdVendor": [
      {
        "id": "5f86224d-0006-3e05-a11a-ab8ada65061b",
        "vendor": {
          "name": "Johnson Controls"
        }
      }
    ],
    "enisaIdProduct": [
      {
        "id": "abf02bf1-bfc7-39bb-9bbb-7fd8fd85ac9d",
        "product": {
          "name": "Metasys ADS/ADX/OAS server"
        },
        "product_version": "All 10 versions <10.1.5"
      },
      {
        "id": "f6694fa1-c55d-3c6e-8b26-f733eb456f68",
        "product": {
          "name": "Metasys ADS/ADX/OAS server"
        },
        "product_version": "All 11 versions <11.0.2"
      }
    ]
  }
]

Source	Link
johnsoncontrols	www.johnsoncontrols.com/cyber-solutions/security-advisories
cisa	www.cisa.gov/uscert/ics/advisories/icsa-22-165-01

03 Oct 2025 20:07Current

7.6High risk

Vulners AI Score7.6

CVSS 3.17.5

CVSS 25

EPSS0.00247

metasys vulnerability unverified password change security update