CVE-2025-26381 Johnson Controls Inc. CVE debrief

Who should care

Organizations using Johnson Controls OpenBlue Workplace with the Mobile Web Application enabled, particularly in building automation and smart building environments. Security teams responsible for ICS/OT infrastructure, facility managers, and system integrators deploying OpenBlue solutions should prioritize assessment and remediation.

Technical summary

The vulnerability exists in the OpenBlue Mobile Web Application for OpenBlue Workplace, where improper access controls allow direct requests to sensitive resources without proper authorization. The CVSS 3.1 score of 9.3 reflects network attackability, low attack complexity, no required privileges or user interaction, scope change to affected resources, high confidentiality impact, and low integrity impact. The CVSS 4.0 vector indicates attack complexity remains low with partial attack requirements, high confidentiality and scope confidentiality impacts, and low integrity and scope integrity impacts.

Defensive priority

critical

Recommended defensive actions

• Upgrade to patch level 2025.1.3 or above when available. If patch is applied, no further mitigation steps are required.
• If patch is unavailable, disable the Mobile Application in Microsoft Internet Information Services (IIS) at the application pool level.
• As an alternative workflow, use the primary OpenBlue Workplace web interface at [base url]/FMInteract/Default.aspx?DashboardType=Homepage for functionality previously accessed via the Mobile interface.
• For detailed mitigation instructions, consult Johnson Controls Product Security Advisory JCI-PSA-2025-05 v1.
• Apply network segmentation to limit exposure of ICS/OT systems to untrusted networks.
• Implement defense-in-depth strategies for industrial control systems environments.

Evidence notes

Source: CISA CSAF advisory ICSA-25-338-03. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N. Affected versions: 2025.1.2 and prior.

Official resources