---
title: "Critical Vulnerability in Johnson Controls OpenBlue App Exposes Sensitive Data"
short_title: "OpenBlue app flaw leaks sensitive data"
description: "Johnson Controls OpenBlue Mobile Web App vulnerability (CVE-2025-26381) allows unauthorized access to sensitive data. Learn mitigation steps and risks now."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [johnson-controls, cve-2025-26381, forced-browsing, data-breach, iot-security]
score: 0.78
cve_ids: [CVE-2025-26381]
---
TL;DR
A critical forced browsing vulnerability (CVE-2025-26381) in Johnson Controls' OpenBlue Mobile Web Application could allow attackers to access sensitive data remotely. The flaw affects versions 2025.1.2 and prior, with a CVSS v4 score of 6.5. Immediate mitigation steps include disabling the app or upgrading to the latest patch.
---
Main Content
Critical Flaw in Johnson Controls OpenBlue App Puts Sensitive Data at Risk
A newly disclosed vulnerability in Johnson Controls' OpenBlue Mobile Web Application for OpenBlue Workplace could expose organizations to unauthorized data access. The flaw, tracked as CVE-2025-26381, involves a direct request (forced browsing) exploit, enabling attackers to bypass security controls and access sensitive information. With a CVSS v3.1 score of 9.3 and a CVSS v4 score of 6.5, this vulnerability poses a high risk to global organizations across critical infrastructure sectors.
---
Key Points
- Vulnerability Type: Direct Request (Forced Browsing, CWE-425).
- Affected Product: OpenBlue Mobile Web Application for OpenBlue Workplace (versions 2025.1.2 and prior).
- Impact: Unauthorized access to sensitive data, potentially leading to data breaches.
- Exploitation: Remotely exploitable with low attack complexity.
- Mitigation: Disable the app or upgrade to patch level 2025.1.3 when available.
- Sectors Affected: Commercial Facilities, Critical Manufacturing, Energy, Government Services, Transportation Systems.
---
Technical Details
#### Affected Systems
The vulnerability impacts the following product:
- OpenBlue Mobile Web Application for OpenBlue Workplace (versions 2025.1.2 and prior).
Attack Vector
The flaw stems from a forced browsing vulnerability, where attackers can manipulate HTTP requests to access restricted resources without proper authentication. This technique exploits weak access controls, allowing unauthorized users to browse directly to sensitive endpoints and retrieve confidential data.
#### CVSS Scores and Severity
- CVSS v3.1 Base Score: 9.3 (Critical)
Vector: `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N`
- Attack Vector (AV): Network (remotely exploitable)
- Attack Complexity (AC): Low
- Privileges Required (PR): None
- User Interaction (UI): None
- Scope (S): Changed (impacts beyond the vulnerable component)
- Confidentiality (C): High
- Integrity (I): Low
- Availability (A): None
- CVSS v4 Base Score: 6.5 (Medium)
Vector: `AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:U`
- Attack Requirements (AT): Present (specific conditions required)
- Vulnerable System Confidentiality (VC): High
- Vulnerable System Integrity (VI): Low
- Vulnerable System Availability (VA): None
- Subsequent System Confidentiality (SC): High
- Subsequent System Integrity (SI): Low
- Subsequent System Availability (SA): None
- Exploit Maturity (E): Unproven
---
Impact Assessment
#### Who Is at Risk?
The vulnerability affects organizations using the OpenBlue Mobile Web Application in the following sectors:
- Commercial Facilities
- Critical Manufacturing
- Energy
- Government Services and Facilities
- Transportation Systems
Given the global deployment of Johnson Controls' solutions, the flaw could expose thousands of organizations to potential data breaches. Attackers could leverage this vulnerability to steal confidential information, disrupt operations, or gain a foothold for further attacks.
#### Potential Consequences
- Data Breaches: Unauthorized access to sensitive data, including user credentials, facility layouts, and operational details.
- Operational Disruption: Compromised systems could lead to downtime or manipulation of building management systems.
- Reputational Damage: Organizations failing to patch the vulnerability risk loss of customer trust and regulatory penalties.
---
Mitigation Steps
Johnson Controls and CISA (Cybersecurity and Infrastructure Security Agency) have recommended the following actions to mitigate the risk:
#### Immediate Actions
1. Upgrade to Patch Level 2025.1.3 (when available).
- Note: If the patch is applied, skip the following steps.
2. Disable the Mobile Application in Microsoft Internet Information Services (IIS) or at the application pool level.
3. Use the Primary OpenBlue Workplace Web Interface:
- Access `[base url]/FMInteract/Default.aspx?DashboardType=Homepage` for essential functions.
#### Long-Term Defensive Measures
- Minimize Network Exposure: Ensure control system devices are not accessible from the internet.
- Isolate Critical Systems: Locate control system networks and remote devices behind firewalls and separate them from business networks.
- Secure Remote Access: Use Virtual Private Networks (VPNs) for remote access, ensuring they are updated to the latest version.
- Follow CISA Guidelines: Implement recommended cybersecurity strategies for industrial control systems (ICS). Resources are available on [CISA’s ICS webpage](https://www.cisa.gov/topics/industrial-control-systems).
For detailed mitigation instructions, refer to the Johnson Controls Product Security Advisory [JCI-PSA-2025-05 v1](https://www.johnsoncontrols.com/cyber-solutions/security-advisories).
---
Conclusion
The CVE-2025-26381 vulnerability in Johnson Controls' OpenBlue Mobile Web Application highlights the critical importance of robust access controls in IoT and building management systems. Organizations must act swiftly to apply patches, disable vulnerable applications, or implement compensatory controls to prevent exploitation.
As of now, no public exploitation of this vulnerability has been reported. However, given its high severity and remote exploitability, organizations are urged to prioritize mitigation efforts to safeguard sensitive data and maintain operational integrity.
Stay vigilant, monitor for updates, and follow CISA’s best practices to defend against emerging threats.
---
References
[^1]: CISA. "[ICSA-25-338-03 Johnson Controls OpenBlue Mobile Web Application for OpenBlue Workplace](https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-03)". Retrieved 2025-01-24.
[^2]: Johnson Controls. "[Product Security Advisory JCI-PSA-2025-05 v1](https://www.johnsoncontrols.com/cyber-solutions/security-advisories)". Retrieved 2025-01-24.
[^3]: MITRE. "[CWE-425: Direct Request ('Forced Browsing')](https://cwe.mitre.org/data/definitions/425.html)". Retrieved 2025-01-24.
[^4]: CVE. "[CVE-2025-26381 Detail](https://www.cve.org/CVERecord?id=CVE-2025-26381)". Retrieved 2025-01-24.