CVE-2021-27657
HIGHJohnson Controls Metasys <11.0 - Privilege Escalation
Title source: llmDescription
Successful exploitation of this vulnerability could give an authenticated Metasys user an unintended level of access to the server file system, allowing them to access or modify system files by sending specifically crafted web messages to the Metasys system. This issue affects: Johnson Controls Metasys version 11.0 and prior versions.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://www.johnsoncontrols.com/cyber-solutions/security-advisories
Third Party Advisory, US Government Resource third-party-advisory
x_refsource_cert
https://us-cert.gov/ics/advisories
Third Party Advisory, US Government Resource third-party-advisory
x_refsource_cert
https://us-cert.cisa.gov/ics/advisories/icsa-21-159-01
Scores
CVSS v3
8.8
EPSS
0.0124
EPSS Percentile
65.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-269
Status
published
Products (1)
johnsoncontrols/metasys
< 11.0
Published
Jun 04, 2021
Tracked Since
Feb 18, 2026