ICSA-25-350-02 · Published 2026-03-05 · View on CISA ICS-CERT ↗

Johnson Controls PowerG, IQPanel and IQHub (Update A)

CVSS 7.6 HIGH

Risk Summary

Successful exploitation of these vulnerabilities could allow an attacker to read or write encrypted traffic or perform a replay attack.

CVE-2025-61738 CVE-2025-61739 CVE-2025-26379 CVE-2025-61740

Johnson Controls recommends the following:
Ensure only trusted devices are on the wireless network
Prior to enrolling any devices, it is strongly recommended to update IQPanel 4 to version 4.6.1/4.6.1i or later
Devices that support PowerG+ should use PowerG v53.05 or later.
During the installation or enrollment phase of setup, enter the PIN code in the PIN Code field on the sensor enrollment screen. For additional security, Johnson Controls recommends only authorized company personnel or integrators be present during the installation/pairing/enrollment process.
If replacing a PowerG device, consider replacing all end-of-life products (IQ Panel 2, IQ Panel 2+, IQ Hub) with the latest IQ Panel 4 using firmware version 4.6.1 or greater.
For more detailed mitigation instructions, see Johnson Controls Product Security Advisory JCI-PSA-2025-01 v2 at the following location: https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories
Further ICS security notices and product security guidance are located at Johnson Controls Trust Center website: https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories

Johnson Controls Inc.

Johnson Controls Inc. · PowerG <=53.02

Johnson Controls Inc. · IQHub vers:all/*

Johnson Controls Inc. · IQPanel 2 vers:all/*

Johnson Controls Inc. · IQPanel 2+ vers:all/*

Johnson Controls Inc. · IQPanel 4 <4.6.1

Commercial Facilities

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.