CVE-2023-4486 HIGH

CVE-2023-4486: Uncontrolled Resource Consumption in Metasys and Facility Explorer

Vendor Johnson Controls

Product Metasys NAE55/SNE/SNC

Weakness CWE-400

Published December 7, 2023

Last update May 28, 2025

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of Johnson Controls Metasys NAE55, SNE, and SNC engines prior to versions 11.0.6 and 12.0.4 and Facility Explorer F4-SNC engines prior to versions 11.0.6 and 12.0.4 to cause denial-of-service.

Key dates

02Disclosure timeline

December 7, 2023 CVE published

May 28, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-4486 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/400.html

Related vulnerabilities

Identifiers

CVE CVE-2023-4486

CWE CWE-400

CVSS 7.5 / HIGH

Affected versions

Vendor Johnson Controls

Product Metasys NAE55/SNE/SNC

Affected ≥ 12.0 and < 12.0.4

Vendor Johnson Controls

Product Metasys NAE55/SNE/SNC

Affected ≥ 11.0 and < 11.0.6

Vendor Johnson Controls

Product Facility Explorer F4-SNC

Affected ≥ 12.0 and < 12.0.4

Vendor Johnson Controls

Product Facility Explorer F4-SNC

Affected ≥ 11.0 and < 11.0.6

CVE-2023-4486: Uncontrolled Resource Consumption in Metasys and Facility Explorer

01Description

02Disclosure timeline

03References

04Related CVE