Rewterz Threat Advisory - CVE-2020-9050 - ICS: Johnson Controls Metasys Reporting Engine (MRE) Web Services

Rewterz Threat Advisory – Cisco Webex Meetings cross-site scripting

February 18, 2021

Rewterz Threat Advisory – ICS: Schneider Electric EcoStruxure Power Build-Rapsody

February 19, 2021

Rewterz Threat Advisory – CVE-2020-9050 – ICS: Johnson Controls Metasys Reporting Engine (MRE) Web Services

Severity

Medium

Analysis Summary

CVE-2020-9050

Metasys Reporting Engine (MRE) Web Services does not properly sanitize pathname elements that can resolve to a location that is outside of the restricted directory.

Impact

Unauthenticated access

Affected Vendors

Johnson Controls

Affected Products

Johnson Controls MRE – v2.0
MRE – v2.1

Remediation

Johnson Controls recommends users upgrade to MRE v2.2 or later.

https://us-cert.cisa.gov/ics/advisories/icsa-21-049-01

Rewterz Annual Threat Intelligence Report 2025 - Download Now

Rewterz Threat Advisory – CVE-2020-9050 – ICS: Johnson Controls Metasys Reporting Engine (MRE) Web Services

Severity

Analysis Summary

CVE-2020-9050

Impact

Affected Vendors

Affected Products

Remediation

Security Operations Centers across the region

Saudi Arabia

UAE

Oman

Pakistan