PatchSiren

Johnson Controls, Inc. CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Johnson Controls Inc. CVE published 2026-01-22

CVE-2025-26386

CVE-2025-26386 is a Johnson Controls iSTAR Configuration Utility (ICU) tool vulnerability with a CVSS 3.1 score of 7.1 (High). According to the CISA CSAF advisory, successful exploitation under certain circumstances could cause failure in the operating system of the machine hosting the ICU tool. Johnson Controls recommends updating the ICU tool to version 6.9.8.

HIGH Johnson Controls Inc. CVE published 2025-12-16

CVE-2025-61740

A HIGH severity authentication vulnerability in Johnson Controls PowerG, IQPanel, and IQHub products allows unauthenticated attackers to send unverified packets, enabling denial-of-service or device configuration modification. The flaw stems from missing source verification on wireless network packets. Affected products include PowerG sensors, IQHub, IQPanel 2/2+/4 models. CISA published initial advisory [truncated]

HIGH Johnson Controls Inc. CVE published 2025-12-16

CVE-2025-61739

CVE-2025-61739 is a Johnson Controls advisory affecting PowerG, IQHub, IQPanel 2, IQPanel 2+, and IQPanel 4. CISA says the weakness is nonce reuse, which may let an attacker replay traffic or decrypt captured packets. The advisory was published on 2025-12-16 and updated on 2026-03-05 with additional mitigation details.

MEDIUM Johnson Controls Inc. CVE published 2025-12-16

CVE-2025-61738

CVE-2025-61738 is a medium-severity vulnerability in Johnson Controls PowerG, IQPanel, and IQHub products. Under specific circumstances, sensitive information is transmitted in cleartext, allowing an attacker who can capture network traffic to obtain the PowerG network key and subsequently read or write encrypted packets on the network. The vulnerability was disclosed by CISA on December 16, 2025, with an [truncated]

HIGH Johnson Controls Inc. CVE published 2025-12-16

CVE-2025-26379

A weak pseudo-random number generator in Johnson Controls PowerG, IQPanel, and IQHub products allows attackers to read or inject encrypted PowerG packets. The vulnerability affects wireless security communications, with adjacent network access sufficient for exploitation. CISA published the initial advisory on December 16, 2025, with an update on March 5, 2026 that refined the vulnerability description an [truncated]

HIGH Johnson Controls Inc. CVE published 2025-12-11

CVE-2025-43876

A high-severity vulnerability in Johnson Controls iSTAR access control systems could allow authenticated attackers to gain unauthorized device access. CISA published advisory ICSA-25-345-01 on December 11, 2025, with vendor fixes available.

HIGH Johnson Controls Inc. CVE published 2025-12-11

CVE-2025-43875

A high-severity vulnerability in Johnson Controls iSTAR access control systems could allow authenticated attackers to gain unauthorized device access. The issue affects multiple iSTAR product lines including iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2. Johnson Controls has released patched firmware versions to address this vulnerability.

MEDIUM Johnson Controls Inc. CVE published 2025-12-04

CVE-2025-61736

CVE-2025-61736 is a medium-severity availability issue affecting Johnson Controls iSTAR products when the default certificate used to connect to the C•CURE Server expires. Under the described conditions, the panel may fail to re-establish communication, which can interrupt normal operation until certificate-related remediation is applied. CISA published the advisory on 2025-12-04 UTC, and the supplied cor [truncated]

CRITICAL Johnson Controls Inc. CVE published 2025-12-04

CVE-2025-26381

Johnson Controls OpenBlue Mobile Web Application for OpenBlue Workplace versions 2025.1.2 and prior contain a Direct Request vulnerability that could allow an attacker to gain unauthorized access to sensitive information. The vulnerability was disclosed by CISA on December 4, 2025, with a CVSS 3.1 score of 9.3 (Critical). The attack vector is network-based, requires no privileges or user interaction, and [truncated]

CRITICAL Johnson Controls Inc. CVE published 2025-04-24

CVE-2025-26382

CVE-2025-26382 is a Critical vulnerability in Johnson Controls Software House iSTAR Configuration Utility (ICU). CISA’s advisory says the ICU tool can have a buffer overflow issue under certain circumstances, and the affected product range is ICU versions earlier than 6.9.5. Johnson Controls recommends upgrading to ICU 6.9.5 or greater and following the vendor’s product security advisory for mitigation gu [truncated]

MEDIUM Johnson Controls, Inc. CVE published 2024-08-01

CVE-2024-32865

Johnson Controls exacqVision Server versions 24.03 and earlier contain a TLS certificate validation weakness that could allow an attacker to impersonate connected devices. The vulnerability, published by CISA on August 1, 2024, stems from improper certificate validation under certain circumstances. With a CVSS 3.1 score of 6.4 (Medium), the attack requires adjacent network access, high attack complexity, [truncated]

MEDIUM Johnson Controls, Inc. CVE published 2024-08-01

CVE-2024-32864

Johnson Controls exacqVision Web Service versions 24.03 and prior fail to enforce HTTPS under certain conditions, allowing potential cleartext transmission of sensitive data. The vulnerability carries a CVSS 3.1 score of 6.4 (Medium) with an attack vector of adjacent network, high attack complexity, no privileges required, and user interaction required. Confidentiality and integrity impacts are rated high [truncated]

MEDIUM Johnson Controls, Inc. CVE published 2024-08-01

CVE-2024-32863

A cross-site request forgery (CSRF) vulnerability in Johnson Controls exacqVision Web Service versions 24.03 and prior allows remote attackers to perform state-changing operations with administrative privileges. The vulnerability requires user interaction and high attack complexity, with network access and no privileges required. The CVSS 3.1 vector indicates high impact to confidentiality and integrity, [truncated]

MEDIUM Johnson Controls Inc. CVE published 2024-08-01

CVE-2024-32862

CVE-2024-32862 is a medium-severity vulnerability in Johnson Controls exacqVision Web Service version 22.12.1.0, published by CISA on August 1, 2024. The vulnerability stems from insufficient protection against untrusted domains under certain circumstances, which could allow cross-origin or cross-domain attacks against the web service. The CVSS 3.1 score of 6.8 reflects network attack vector, high attack [truncated]

HIGH Johnson Controls Inc. CVE published 2024-08-01

CVE-2024-32758

A cryptographic weakness in Johnson Controls exacqVision client and server software allows insufficient key length and exchange under certain conditions, enabling potential man-in-the-middle attacks against video management system communications.

HIGH Johnson Controls Inc. CVE published 2024-07-09

CVE-2024-32861

A local privilege escalation vulnerability exists in Johnson Controls Inc. Software House C●CURE 9000 Site Server versions 2.80 and earlier. The Site Server provides insufficient protection of directories containing executables, specifically the C:CouchDBbin path, allowing non-administrator accounts with local access to potentially modify or replace executable files. This weakness enables authenticated lo [truncated]

HIGH Johnson Controls Inc. CVE published 2024-07-09

CVE-2024-32759

Under certain circumstances, the Software House C●CURE 9000 installer utilizes weak credentials, creating a high-severity vulnerability in physical access control systems. The issue affects versions 2.80 and earlier, with a CVSS 3.1 score of 8.8 (HIGH). The vulnerability stems from the installer component rather than runtime operation, meaning the exposure window is primarily during initial deployment or [truncated]

LOW Johnson Controls, Inc. CVE published 2024-07-02

CVE-2024-32754

Johnson Controls Kantech door controllers (KT1, KT2, and KT400 Rev01) broadcast sensitive device information when operating in factory reset mode awaiting initial configuration. Specifically, the controllers transmit their MAC address, serial number, and firmware version. This information exposure ceases once the device completes configuration. The vulnerability requires adjacent network access and high a [truncated]

MEDIUM Johnson Controls, Inc. CVE published 2024-06-27

CVE-2024-32757

A medium-severity information disclosure vulnerability in Johnson Controls Illustra Essential Gen 4 cameras allows unnecessary user details to be written to system logs under certain conditions. The issue was disclosed by CISA on June 27, 2024, with an advisory update on July 2, 2024, revising the mitigation schedule. The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N) indicates network attack vecto [truncated]

MEDIUM Johnson Controls, Inc. CVE published 2024-06-27

CVE-2024-32756

CVE-2024-32756 is a medium-severity vulnerability (CVSS 6.8) affecting Johnson Controls Illustra Essentials Gen 4 cameras. The issue allows an authenticated user to recover Linux user credentials under certain circumstances. The vulnerability was disclosed by CISA on June 27, 2024, with an advisory update on July 2, 2024 that modified the mitigation schedule. The affected product is Illustra Essentials Ge [truncated]

CRITICAL Johnson Controls, Inc. CVE published 2024-06-27

CVE-2024-32755

A critical vulnerability in Johnson Controls Illustra Essentials Gen 4 cameras allows the web interface to accept unexpected characters under certain conditions, potentially enabling authentication bypass or command injection. The issue affects firmware versions up to and including Illustra.Ess4.01.02.10.5982. CISA published advisory ICSA-24-179-04 on June 27, 2024, with an update on July 2, 2024 revising [truncated]

CRITICAL Johnson Controls Inc. CVE published 2024-06-06

CVE-2024-32752

A critical vulnerability in Johnson Controls Software House iSTAR door controllers allows unauthenticated communication between the door controllers and the iSTAR Configuration Utility (ICU). The vulnerability, published June 6, 2024 and updated July 29, 2025, affects iSTAR Pro, Edge, and eX door controllers running any firmware version, as well as iSTAR Ultra and Ultra LT door controllers running firmwar [truncated]