ICSA-25-338-03 · Published 2025-12-04 · View on CISA ICS-CERT ↗

Johnson Controls OpenBlue Mobile Web Application for OpenBlue Workplace

CVSS 9.3 CRITICAL

Risk Summary

Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information.

CVE-2025-26381

Johnson Controls Inc. recommends the following:
Upgrade to patch level 2025.1.3 or above when available. Note: When this patch is applied, skip the below two steps.
Disable the Mobile Application in Microsoft Internet Information Services (IIS) or Disable the mobile application within Microsoft Internet Information Services (IIS) at the application pool level.
Use the primary OpenBlue Workplace web interface: To complete the tasks you've previously accomplished in OpenBlue Workplace Mobile interface, the primary Workplace web interface provides a subset of the Mobile functionality and is available here: [base url]/FMInteract/Default.aspx?DashboardType=Homepage.
For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2025-05 v1 at the following location: https://www.johnsoncontrols.com/cyber-solutions/security-advisories

Johnson Controls Inc.

Johnson Controls Inc. · OpenBlue Mobile Web Application for OpenBlue Workplace <=2025.1.2

Commercial Facilities, Critical Manufacturing, Energy, Government Services and Facilities, Transportation Systems

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.