CVE-2025-26379 Johnson Controls Inc. CVE debrief

Who should care

Organizations using Johnson Controls PowerG-enabled security panels (IQPanel 2, IQPanel 2+, IQPanel 4, IQHub) for physical security and access control systems, particularly in critical infrastructure, commercial facilities, and government installations where wireless sensor integrity is essential.

Technical summary

The PowerG wireless protocol implementation uses a cryptographically weak pseudo-random number generator that enables attackers with adjacent network access to predict or manipulate cryptographic material. This allows decryption of captured packets and injection of malicious packets into the encrypted PowerG communication stream. The vulnerability is exploitable without authentication or user interaction.

Defensive priority

HIGH

Recommended defensive actions

• Update IQPanel 4 to firmware version 4.6.1/4.6.1i or later before enrolling any devices
• Upgrade PowerG+ devices to PowerG v53.05 or later
• Enter PIN codes during sensor enrollment and restrict physical access to authorized personnel only
• Replace end-of-life products (IQ Panel 2, IQ Panel 2+, IQ Hub) with IQ Panel 4 running firmware 4.6.1 or greater
• Ensure only trusted devices are permitted on the wireless network
• Review Johnson Controls Product Security Advisory JCI-PSA-2025-01 v2 for detailed mitigation instructions

Evidence notes

CISA CSAF source identifies the root cause as CWE-338 (Use of Cryptographically Weak PRNG). The CVSS 3.1 vector (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L) indicates adjacent network access is required with high impact to integrity. The March 5, 2026 update added specific firmware version requirements and expanded vendor advisory references.

Official resources