CVE-2025-61738 Johnson Controls Inc. CVE debrief

Who should care

Organizations deploying Johnson Controls PowerG-enabled security systems, including IQPanel 2, IQPanel 2+, IQPanel 4, and IQHub installations. Security integrators and installers responsible for device enrollment and network configuration. Facilities management teams overseeing physical security infrastructure in commercial, industrial, and residential environments.

Technical summary

The vulnerability exists when sensitive information is transmitted without encryption under specific operational conditions. An attacker positioned to capture network traffic can extract the PowerG network encryption key, enabling unauthorized decryption of network communications and the ability to inject crafted packets. The attack requires network access and specific timing during device enrollment or operation. Remediation involves firmware updates to IQPanel 4 (4.6.1/4.6.1i+) and PowerG+ devices (v53.05+), combined with procedural controls during device pairing to prevent key exposure.

Defensive priority

MEDIUM

Recommended defensive actions

• Update IQPanel 4 to firmware version 4.6.1/4.6.1i or later prior to enrolling any devices
• For PowerG+ capable devices, ensure PowerG firmware v53.05 or later is installed
• During sensor enrollment, enter the PIN code in the PIN Code field on the enrollment screen and restrict physical presence to authorized personnel only
• Ensure only trusted devices are permitted on the wireless network
• When replacing PowerG devices, consider upgrading end-of-life products (IQ Panel 2, IQ Panel 2+, IQ Hub) to IQ Panel 4 with firmware 4.6.1 or greater
• Review Johnson Controls Product Security Advisory JCI-PSA-2025-01 v2 for detailed mitigation instructions

Evidence notes

CISA published initial advisory ICSA-25-350-02 on 2025-12-16; Update A released 2026-03-05 with revised description and expanded mitigation guidance. CVSS 3.1 score 5.3 (MEDIUM).

Official resources