PatchSiren cyber security CVE debrief
CVE-2025-61740 Johnson Controls Inc. CVE debrief
A HIGH severity authentication vulnerability in Johnson Controls PowerG, IQPanel, and IQHub products allows unauthenticated attackers to send unverified packets, enabling denial-of-service or device configuration modification. The flaw stems from missing source verification on wireless network packets. Affected products include PowerG sensors, IQHub, IQPanel 2/2+/4 models. CISA published initial advisory ICSA-25-350-02 on 2025-12-16 with Update A released 2026-03-05 adding mitigation details and updated vendor advisory links.
- Vendor
- Johnson Controls Inc.
- Product
- PowerG
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-16
- Original CVE updated
- 2026-03-05
- Advisory published
- 2025-12-16
- Advisory updated
- 2026-03-05
Who should care
Organizations operating Johnson Controls security and building automation systems including: commercial security integrators, facility management teams, critical infrastructure operators using PowerG wireless sensors, residential and commercial alarm monitoring companies, and OT security teams responsible for building management system security.
Technical summary
The vulnerability exists in the wireless enrollment/communication protocol where packet source authentication is not enforced. An attacker with adjacent network access can inject crafted packets without authentication, leading to two primary impacts: (1) denial-of-service through disruption of device operations, and (2) unauthorized configuration modification of enrolled sensors or panel settings. The attack vector is adjacent (AV:A) with low attack complexity (AC:L) and no privileges required (PR:N). The integrity impact is rated HIGH (I:H) due to configuration modification potential, while confidentiality and availability impacts are LOW (C:L, A:L). The CVSS 4.0 vector shows similar characteristics with VI:H (high integrity violation to the vulnerable system). Mitigation requires firmware updates, physical access controls during enrollment, and network trust boundaries.
Defensive priority
HIGH
Recommended defensive actions
- Update IQPanel 4 to firmware version 4.6.1/4.6.1i or later before enrolling any devices
- For PowerG+ capable devices, ensure PowerG firmware v53.05 or later is installed
- During sensor enrollment, enter PIN codes in the enrollment screen and restrict physical access to authorized personnel only
- Ensure only trusted devices are permitted on the wireless network segment
- Replace end-of-life products (IQ Panel 2, IQ Panel 2+, IQ Hub) with IQ Panel 4 running firmware 4.6.1 or greater
- Review Johnson Controls Product Security Advisory JCI-PSA-2025-01 v2 for detailed mitigation instructions
- Apply network segmentation to isolate affected control system components from untrusted networks
- Monitor for unauthorized device enrollment attempts or unexpected configuration changes
Evidence notes
CISA CSAF advisory ICSA-25-350-02 (Update A, 2026-03-05) documents authentication bypass via unverified packet sources. CVSS 3.1: 7.6 (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L). CWE-346 (Origin Validation Error) cited. Vendor fix: IQPanel 4 firmware 4.6.1/4.6.1i+; PowerG+ devices require v53.05+.
Official resources
-
CVE-2025-61740 CVE record
CVE.org
-
CVE-2025-61740 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-12-16