What is the severity of CVE-2021-36203?

The severity of CVE-2021-36203 is critical with a severity value of 9.1.

How can an attacker exploit CVE-2021-36203?

An attacker can exploit CVE-2021-36203 by identifying and forging requests to internal systems using a specially crafted request.

What software is affected by CVE-2021-36203?

The Johnson Controls Metasys System Configuration Tool version up to and excluding 14.2.2 is affected by CVE-2021-36203.

How can I fix CVE-2021-36203?

To fix CVE-2021-36203, it is recommended to apply the necessary security patches provided by Johnson Controls.

Where can I find more information about CVE-2021-36203?

You can find more information about CVE-2021-36203 on the CISA website at https://www.cisa.gov/uscert/ics/advisories/icsa-22-111-02.

Vulnerability/
CVE-2021-36203

critical

9.1

CWE

918

22/4/2022

17/9/2024

CVE-2021-36203: Johnson Controls Metasys SCT Pro

First published: Fri Apr 22 2022(Updated: )

The affected product may allow an attacker to identify and forge requests to internal systems by way of a specially crafted request.

Credit: productsecurity@jci.com

Affected Software	Affected Version	How to fix
Johnsoncontrols Metasys System Configuration Tool	<14.2.2
Johnsoncontrols Metasys System Configuration Tool	<14.2.2
Johnson Controls, Inc. Metasys System Configuration Tool (SCT)	<14.2.2	14.2.2
Johnson Controls, Inc. Metasys System Configuration Tool Pro (SCT Pro)	<14.2.2	14.2.2

Remedy

Johnson Controls recommends users take the following steps to mitigate this vulnerability: Update SCT/SCT Pro with Patch 14.2.2 Take proper steps to minimize risks to all building automation systems. For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2022-03 v1

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

ICSA-22-111-02

Frequently Asked Questions

What is the severity of CVE-2021-36203?
The severity of CVE-2021-36203 is critical with a severity value of 9.1.
How can an attacker exploit CVE-2021-36203?
An attacker can exploit CVE-2021-36203 by identifying and forging requests to internal systems using a specially crafted request.
What software is affected by CVE-2021-36203?
The Johnson Controls Metasys System Configuration Tool version up to and excluding 14.2.2 is affected by CVE-2021-36203.
How can I fix CVE-2021-36203?
To fix CVE-2021-36203, it is recommended to apply the necessary security patches provided by Johnson Controls.
Where can I find more information about CVE-2021-36203?
You can find more information about CVE-2021-36203 on the CISA website at https://www.cisa.gov/uscert/ics/advisories/icsa-22-111-02.

collector/nvd-index
agent/type
collector/mitre-cve
source/MITRE
agent/weakness
agent/title
agent/last-modified-date
agent/author
agent/remedy
agent/description
agent/first-publish-date
agent/references
agent/severity
agent/softwarecombine
agent/event
agent/tags
collector/ics-cert-advisory
source/ICS
agent/software-canonical-lookup
agent/software-canonical-lookup-request
vendor/johnsoncontrols
canonical/johnsoncontrols metasys system configuration tool
vendor/johnson controls, inc.
canonical/johnson controls, inc. metasys system configuration tool (sct)
canonical/johnson controls, inc. metasys system configuration tool pro (sct pro)

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.