Johnson Controls OpenBlue Mobile Web Application for OpenBlue Workplace

Published:

4 december 2025 om 12:00:00

Alert date:

5 december 2025 om 08:03:23

Source:

cisa.gov

Johnson Controls OpenBlue Mobile Web Application for OpenBlue Workplace versions 2025.1.2 and prior contain a Direct Request ('Forced Browsing') vulnerability (CVE-2025-26381) with CVSS v3.1 score of 9.3. The vulnerability allows attackers to gain unauthorized access to sensitive information through remote exploitation with low attack complexity. Affects critical infrastructure sectors including commercial facilities, manufacturing, energy, government services, and transportation systems worldwide. Mitigation requires upgrading to patch level 2025.1.3 or disabling the mobile application in Microsoft IIS.

Technical details

Mitigation steps:

Affected products:

Johnson Controls OpenBlue Mobile Web Application for OpenBlue Workplace

Related links:

https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-03
https://github.com/cisagov/CSAF
https://cwe.mitre.org/data/definitions/425.html
https://www.cve.org/CVERecord?id=CVE-2025-26381
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:U
https://www.johnsoncontrols.com/cyber-solutions/security-advisories
https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.cisa.gov/topics/industrial-control-systems
https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf
https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B

Related CVE's:

CVE-2025-26381

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.