CVE-2020-9044

Metasys Improper Restriction of XML External Entity Reference

Description

XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys NAE85 and NIE85 versions 10.1 and prior; Metasys LonWorks Control Server (LCS) versions 10.1 and prior; Metasys System Configuration Tool (SCT) versions 13.2 and prior; Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1.

Remediation

Solution:

  • Johnson Controls has developed a patch to address this issue. Customers should contact their local branch office for remediation.

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.27%
Vendor Advisory johnsoncontrols.com
Affected: Johnson Controls Metasys Application and Data Server (ADS, ADS-Lite)
Affected: Johnson Controls Metasys Extended Application and Data Server (ADX)
Affected: Johnson Controls Metasys Open Data Server (ODS)
Affected: Johnson Controls Metasys Open Application Server (OAS)
Affected: Johnson Controls Metasys Network Automation Engine (NAE55 only)
Affected: Johnson Controls Metasys Network Integration Engine (NIE55/NIE59)
Affected: Johnson Controls Metasys NAE85 and NIE85
Affected: Johnson Controls Metasys LonWorks Control Server (LCS)
Affected: Johnson Controls Metasys System Configuration Tool (SCT)
Affected: Johnson Controls Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed)
Published at:
Updated at:

References

Link Tags
https://www.johnsoncontrols.com/cyber-solutions/security-advisories vendor advisory
https://www.us-cert.gov/ics/advisories/icsa-20-070-05 third party advisory us government resource

Frequently Asked Questions

What is the severity of CVE-2020-9044?
CVE-2020-9044 has been scored as a high severity vulnerability.
How to fix CVE-2020-9044?
To fix CVE-2020-9044: Johnson Controls has developed a patch to address this issue. Customers should contact their local branch office for remediation.
Is CVE-2020-9044 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2020-9044 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-9044?
CVE-2020-9044 affects Johnson Controls Metasys Application and Data Server (ADS, ADS-Lite), Johnson Controls Metasys Extended Application and Data Server (ADX), Johnson Controls Metasys Open Data Server (ODS), Johnson Controls Metasys Open Application Server (OAS), Johnson Controls Metasys Network Automation Engine (NAE55 only), Johnson Controls Metasys Network Integration Engine (NIE55/NIE59), Johnson Controls Metasys NAE85 and NIE85, Johnson Controls Metasys LonWorks Control Server (LCS), Johnson Controls Metasys System Configuration Tool (SCT), Johnson Controls Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed).
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.