PatchSiren cyber security CVE debrief
CVE-2025-61739 Johnson Controls Inc. CVE debrief
CVE-2025-61739 is a Johnson Controls advisory affecting PowerG, IQHub, IQPanel 2, IQPanel 2+, and IQPanel 4. CISA says the weakness is nonce reuse, which may let an attacker replay traffic or decrypt captured packets. The advisory was published on 2025-12-16 and updated on 2026-03-05 with additional mitigation details.
- Vendor
- Johnson Controls Inc.
- Product
- PowerG
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-16
- Original CVE updated
- 2026-03-05
- Advisory published
- 2025-12-16
- Advisory updated
- 2026-03-05
Who should care
Organizations using Johnson Controls PowerG, IQPanel, or IQHub products should care most, especially teams managing wireless device enrollment/pairing, installers, integrators, and operators with legacy IQ Panel 2 / IQ Panel 2+ / IQ Hub deployments.
Technical summary
The CISA CSAF advisory identifies nonce reuse as the underlying issue and maps it to CVSS 3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L (7.6, High). The practical impact described by the advisory is that an attacker on the relevant adjacent wireless path may be able to replay captured packets or decrypt traffic. CISA’s Update A also added mitigation details and updated the vendor advisory link.
Defensive priority
High priority for environments that use the affected Johnson Controls products, with extra urgency where wireless enrollment or pairing is still in use and where legacy hardware remains deployed. Because the attack vector is adjacent and requires no privileges or user interaction, remediation should be planned promptly.
Recommended defensive actions
- Update IQPanel 4 to version 4.6.1/4.6.1i or later before enrolling devices.
- If devices support PowerG+, use PowerG v53.05 or later.
- Ensure only trusted devices are on the wireless network.
- During installation or enrollment, enter the PIN code in the PIN Code field on the sensor enrollment screen.
- Limit installation/pairing/enrollment to authorized company personnel or integrators only.
- If replacing a PowerG device, consider replacing end-of-life IQ Panel 2, IQ Panel 2+, and IQ Hub systems with IQ Panel 4 running firmware 4.6.1 or greater.
- Review Johnson Controls Product Security Advisory JCI-PSA-2025-01 v2 for detailed mitigation instructions.
- Apply general CISA ICS recommended practices and trust-center guidance for industrial control systems.
Evidence notes
CISA’s CSAF advisory (ICSA-25-350-02 / CVE-2025-61739) states the affected product is vulnerable due to nonce reuse, which may allow replay attacks or decryption of captured packets. The source metadata lists affected products as PowerG, IQHub, IQPanel 2, IQPanel 2+, and IQPanel 4, and records the CVSS vector CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L. The advisory revision history shows Update A on 2026-03-05 added mitigation details and updated the vendor advisory link.
Official resources
-
CVE-2025-61739 CVE record
CVE.org
-
CVE-2025-61739 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory basis: CISA CSAF entry ICSA-25-350-02 for CVE-2025-61739, published 2025-12-16 and updated 2026-03-05. No CISA KEV listing was supplied.