top of page
perceptive_background_267k.jpg

Johnson Controls PowerG, IQPanel and IQHub

Published:

16 December 2025 at 12:00:00

Alert date:

16 December 2025 at 18:02:03

Source:

cisa.gov

Click to open the original link from this advisory

Mobile & IoT, Critical Infrastructure

Multiple critical vulnerabilities discovered in Johnson Controls PowerG, IQPanel and IQHub security systems affecting worldwide commercial facilities. The vulnerabilities include cleartext transmission of sensitive information, nonce reuse allowing replay attacks, weak pseudo-random number generators, and authentication bypass issues. Attackers can capture network keys, decrypt encrypted packets, perform replay attacks, and modify device configurations. Affects PowerG versions <=53.02, all versions of IQHub, IQPanel 2, IQPanel 2+, and IQPanel 4 versions <4.6.1. Johnson Controls recommends updating to fixed versions and replacing end-of-life products.

Technical details

The vulnerabilities affect Johnson Controls PowerG, IQPanel and IQHub systems used in commercial facilities worldwide. The security issues include: cleartext transmission of sensitive information that allows attackers to capture network keys and read/write encrypted packets (CVE-2025-61738); nonce reuse vulnerability enabling replay attacks or packet decryption (CVE-2025-61739); weak pseudo-random number generator allowing packet injection and reading (CVE-2025-26379); and authentication bypass that doesn't verify packet source, enabling denial-of-service or device configuration modification (CVE-2025-61740). These vulnerabilities could allow attackers to read or write encrypted traffic or perform replay attacks on the PowerG network.

Mitigation steps:

Update IQPanel 4 to version 4.6.1/4.6.1i
Devices that support PowerG+ should use PowerG v53.05 or later
During installation or enrollment phase, enter the PIN code in the PIN Code field on the sensor enrollment screen
Only allow authorized company personnel or integrators to be present during the pairing process
Replace all end-of-life products (IQ Panel 2, IQ Panel 2+, IQ Hub) with the latest IQ Panel 4 using firmware version 4.6.1 or greater
Minimize network exposure for all control system devices and ensure they are not accessible from the internet
Locate control system networks and remote devices behind firewalls and isolate them from business networks
Use secure methods like VPNs for remote access and keep them updated
Perform proper impact analysis and risk assessment prior to deploying defensive measures

Affected products:

Johnson Controls PowerG (<=53.02)
Johnson Controls IQHub (all versions)
Johnson Controls IQPanel 2 (all versions)
Johnson Controls IQPanel 2+ (all versions)
Johnson Controls IQPanel 4 (<4.6.1)

Related links:

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-350-02.json
https://nvd.nist.gov/vuln/detail/CVE-2025-61738
https://nvd.nist.gov/vuln/detail/CVE-2025-61739
https://nvd.nist.gov/vuln/detail/CVE-2025-26379
https://nvd.nist.gov/vuln/detail/CVE-2025-61740
https://cwe.mitre.org/data/definitions/319.html
https://cwe.mitre.org/data/definitions/323.html
https://cwe.mitre.org/data/definitions/338.html
https://cwe.mitre.org/data/definitions/346.html
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page