---
title: "Johnson Controls Security Flaws Expose Smart Buildings to Cyberattacks"
short_title: "Critical flaws in Johnson Controls security systems"
description: "Johnson Controls PowerG, IQPanel, and IQHub vulnerabilities allow attackers to intercept data, replay commands, or disrupt operations. Patch now to secure smart buildings."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [johnson-controls, cve-2025, smart-buildings, cybersecurity, iot-security]
score: 0.85
cve_ids: [CVE-2025-61738, CVE-2025-61739, CVE-2025-26379, CVE-2025-61740]
---
TL;DR
Johnson Controls has disclosed four critical vulnerabilities in its PowerG, IQPanel, and IQHub security systems, potentially allowing attackers to read or write encrypted traffic, replay commands, or disrupt operations. These flaws affect millions of devices worldwide, particularly in commercial facilities. Immediate patching and mitigation steps are recommended to prevent exploitation.
---
Main Content
Critical Vulnerabilities in Johnson Controls Security Systems Threaten Smart Buildings
Johnson Controls, a global leader in smart building solutions, has issued an urgent security advisory addressing four critical vulnerabilities in its PowerG, IQPanel, and IQHub product lines. If exploited, these flaws could enable attackers to intercept sensitive data, replay malicious commands, or disrupt building security operations. The vulnerabilities impact devices deployed across commercial facilities worldwide, raising concerns about the security of IoT-enabled building management systems.
---
Key Points
- Four critical vulnerabilities (CVE-2025-61738, CVE-2025-61739, CVE-2025-26379, CVE-2025-61740) affect Johnson Controls PowerG, IQPanel, and IQHub devices.
- Exploitation could allow attackers to read or write encrypted traffic, perform replay attacks, or disrupt device operations.
- Affected versions include PowerG (≤53.02), IQHub (all versions), IQPanel 2 (all versions), IQPanel 2+ (all versions), and IQPanel 4 (<4.6.1).
- High-severity CVSS scores (up to 7.6) indicate significant risk, particularly for commercial facilities.
- Mitigation steps include updating firmware, replacing end-of-life devices, and enforcing secure enrollment practices.
---
Technical Details
#### Vulnerabilities Overview
The identified vulnerabilities stem from cryptographic weaknesses, authentication flaws, and insecure transmission practices. Here’s a breakdown of each flaw:
| CVE ID | Vulnerability Type | CVSS Score | Severity | Impact |
|---------------------|-----------------------------------------------|----------------|--------------|-------------------------------------------------------------------------------------------------|
| CVE-2025-61738 | Cleartext Transmission of Sensitive Information | 5.3 | Medium | Attackers can capture the network key and read or write encrypted packets. |
| CVE-2025-61739 | Reusing a Nonce in Encryption | 7.6 | High | Enables replay attacks or decryption of captured packets. |
| CVE-2025-26379 | Weak Pseudo-Random Number Generator (PRNG) | 7.6 | High | Allows attackers to read or inject encrypted PowerG packets. |
| CVE-2025-61740 | Origin Validation Error | 7.6 | High | Attackers can spoof packets, leading to denial-of-service (DoS) or unauthorized modifications. |
---
#### Affected Products
The vulnerabilities impact the following Johnson Controls products:
- PowerG (versions ≤53.02)
- IQHub (all versions)
- IQPanel 2 (all versions)
- IQPanel 2+ (all versions)
- IQPanel 4 (versions <4.6.1)
These devices are widely used in commercial facilities, including offices, hospitals, and educational institutions, making them prime targets for cyberattacks.
---
Impact Assessment
#### Potential Exploitation Scenarios
1. Data Interception: Attackers could exploit CVE-2025-61738 to intercept sensitive information transmitted between devices, such as security credentials or operational commands.
2. Replay Attacks: CVE-2025-61739 enables attackers to replay legitimate commands, such as unlocking doors or disabling alarms, by reusing captured packets.
3. Packet Injection: CVE-2025-26379 allows attackers to inject malicious packets into the network, potentially disrupting building operations or gaining unauthorized access.
4. Spoofing and DoS: CVE-2025-61740 could be exploited to spoof device communications, leading to denial-of-service conditions or unauthorized configuration changes.
#### Real-World Implications
- Physical Security Risks: Exploitation of these vulnerabilities could compromise building access controls, allowing unauthorized entry or disabling security systems.
- Operational Disruptions: Attackers could disrupt HVAC, lighting, or fire safety systems, leading to operational downtime or safety hazards.
- Data Breaches: Sensitive information, such as employee or tenant data, could be exposed if intercepted by attackers.
---
Mitigation Steps
Johnson Controls has provided the following recommended actions to mitigate these vulnerabilities:
#### Immediate Actions
1. Update Firmware:
- IQPanel 4 users should update to version 4.6.1 or later.
- PowerG devices should be upgraded to version 53.05 or later if they support PowerG+.
2. Secure Enrollment Process:
- During installation or enrollment, enter the PIN code in the sensor enrollment screen.
- Ensure only authorized personnel are present during the pairing process.
3. Replace End-of-Life Devices:
- Replace IQPanel 2, IQPanel 2+, and IQHub devices with the latest IQPanel 4 running firmware 4.6.1 or greater.
#### Long-Term Security Practices
- Network Segmentation: Isolate control system networks from business networks using firewalls.
- Remote Access Security: Use secure methods like VPNs for remote access, ensuring they are updated to the latest version.
- Monitor for Malicious Activity: Implement intrusion detection systems to monitor for suspicious activity and report incidents to CISA.
- Employee Training: Educate staff on social engineering attacks and safe email practices to prevent phishing attempts.
For detailed mitigation instructions, refer to the [Johnson Controls Product Security Advisory JCI-PSA-2025-01](https://www.johnsoncontrols.com/cyber-solutions/security-advisories).
---
Conclusion
The discovery of these critical vulnerabilities in Johnson Controls’ security systems underscores the growing risks associated with IoT-enabled building management systems. As smart buildings become more prevalent, ensuring the security of interconnected devices is paramount to preventing physical and digital threats.
Organizations using PowerG, IQPanel, or IQHub devices should immediately apply patches, replace end-of-life hardware, and implement robust security practices to mitigate risks. Failure to act could expose facilities to data breaches, operational disruptions, or physical security compromises.
Stay vigilant, prioritize cybersecurity, and follow CISA’s recommended practices to safeguard critical infrastructure.
---
References
[^1]: CISA. "[ICSA-25-350-02 Johnson Controls Inc. PowerG, IQPanel, and IQHub](https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-02)". Retrieved 2025-01-24.
[^2]: Johnson Controls. "[Product Security Advisory JCI-PSA-2025-01](https://www.johnsoncontrols.com/cyber-solutions/security-advisories)". Retrieved 2025-01-24.
[^3]: NCC Group. "[Vulnerability Research on Johnson Controls Security Systems](https://www.nccgroup.com)". Retrieved 2025-01-24.