The NCCIC has released an advisory regarding an information exposure through an error message vulnerability in Johnson Controls Metasys and BCPro products. The vulnerability affects Metasys System, Versions 8.0 and prior, and BCPro (BCM), all versions prior to 3.0.2. Successful exploitation of this vulnerability could allow an attacker to obtain technical information about the Metasys or BCPro server, allowing an attacker to target a system for attack. This vulnerability results from improper error handling in HTTP-based communications with the server, which could allow an attacker to obtain technical information. Currently there are no known public exploits; however, this vulnerability is exploitable on an adjacent network, and could be successfully exploited by an attacker with a low skill level. Johnson Controls has fixed this vulnerability in subsequent versions and recommends users upgrade to the latest product versions. The NCCIC also recommends a series of defensive measures to minimize the risk of exploitation of this vulnerability. NCCIC/ICS-CERT.