Johnson Controls IoT Devices Exposed: 2025 Encryption Vulnerabilities in PowerG, IQPanel & IQHub
Executive Summary
In December 2025, security researchers at NCC Group identified and responsibly disclosed four cryptographic vulnerabilities (CVE-2025-61738, CVE-2025-61739, CVE-2025-26379, CVE-2025-61740) impacting Johnson Controls’ PowerG, IQPanel, and IQHub products. The flaws included cleartext transmission of sensitive information, nonce reuse, weak pseudo-random number generation, and inadequate origin validation. Threat actors could exploit these issues to intercept, decrypt, or manipulate encrypted wireless traffic, potentially altering system behavior or disrupting services in commercial facilities globally. Johnson Controls issued advisories and firmware updates, especially urging customers to migrate to IQPanel 4 with firmware 4.6.1 or later.
The incident highlights the continued importance of secure-by-design principles in IoT and OT devices, as attacks increasingly pivot toward embedded and building automation systems. Heightened regulatory focus and attacker sophistication underscore the need for proactive vulnerability management and segmenting critical infrastructure networks.
Why This Matters Now
This breach highlights urgent risks for building automation and IoT environments relying on wireless proprietary protocols. With threat actors increasingly targeting operational technology, rapid remediation and improved cryptographic practices are essential for mitigating new attack vectors affecting critical infrastructure and global commercial facilities.
Attack Path Analysis
Attackers exploited cryptographic weaknesses and cleartext transmissions to intercept and manipulate sensitive PowerG traffic, gaining unauthorized access to devices. Leveraging these flaws, they injected malicious packets and escalated their level of access. Movement between IoT/OT devices on the internal network allowed further compromise, with command and control established via crafted packets. Sensitive data could then be exfiltrated or communications altered, culminating in service disruption or configuration tampering of critical infrastructure equipment.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited cleartext transmission (CVE-2025-61738) and weak crypto mechanisms to intercept and access PowerG device network communications.
Related CVEs
CVE-2025-61738
CVSS 5.3Cleartext transmission of sensitive information in Johnson Controls PowerG, IQPanel, and IQHub allows attackers to capture network keys and read or write encrypted packets.
Affected Products:
Johnson Controls Inc. PowerG – <=53.02
Johnson Controls Inc. IQHub – all
Johnson Controls Inc. IQPanel 2 – all
Johnson Controls Inc. IQPanel 2+ – all
Johnson Controls Inc. IQPanel 4 – <4.6.1
Exploit Status:
no public exploitCVE-2025-61739
CVSS 7.6Nonce reuse in Johnson Controls PowerG, IQPanel, and IQHub allows attackers to perform replay attacks or decrypt captured packets.
Affected Products:
Johnson Controls Inc. PowerG – <=53.02
Johnson Controls Inc. IQHub – all
Johnson Controls Inc. IQPanel 2 – all
Johnson Controls Inc. IQPanel 2+ – all
Johnson Controls Inc. IQPanel 4 – <4.6.1
Exploit Status:
no public exploitCVE-2025-26379
CVSS 7.6Use of a cryptographically weak pseudo-random number generator in Johnson Controls PowerG, IQPanel, and IQHub allows attackers to read or inject encrypted PowerG packets.
Affected Products:
Johnson Controls Inc. PowerG – <=53.02
Johnson Controls Inc. IQHub – all
Johnson Controls Inc. IQPanel 2 – all
Johnson Controls Inc. IQPanel 2+ – all
Johnson Controls Inc. IQPanel 4 – <4.6.1
Exploit Status:
no public exploitCVE-2025-61740
CVSS 7.6Authentication issue in Johnson Controls PowerG, IQPanel, and IQHub that does not verify the source of a packet, allowing attackers to create a denial-of-service condition or modify device configuration.
Affected Products:
Johnson Controls Inc. PowerG – <=53.02
Johnson Controls Inc. IQHub – all
Johnson Controls Inc. IQPanel 2 – all
Johnson Controls Inc. IQPanel 2+ – all
Johnson Controls Inc. IQPanel 4 – <4.6.1
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Network Sniffing
Weaken Encryption
Exploitation for Credential Access
Adversary-in-the-Middle
Application Layer Protocol
Endpoint Denial of Service
Process Injection
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Encryption of Sensitive Data in Transmission
Control ID: 2.2.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (EU Digital Operational Resilience Act) – ICT Risk Management Requirements
Control ID: Art. 9(2)
NIS2 Directive – Security of Network and Information Systems
Control ID: Article 21(2) (b, d, f, k)
CISA ZTMM 2.0 – Data-in-Transit Encryption Enforcement
Control ID: Cryptography Pillar
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Commercial Real Estate
Building security systems vulnerable to cleartext transmission, nonce reuse, and weak encryption enabling attackers to bypass access controls and compromise tenant safety.
Security/Investigations
Physical security infrastructure compromised by PowerG vulnerabilities allowing unauthorized access, replay attacks, and potential circumvention of monitoring and alarm systems.
Hospitality
Hotel and resort security panels exposed to authentication bypass and encryption weaknesses potentially compromising guest safety and facility access control systems.
Higher Education/Acadamia
Campus security systems susceptible to IoT vulnerabilities enabling unauthorized building access, compromised emergency response capabilities, and student safety risks through encrypted traffic manipulation.
Sources
- Johnson Controls PowerG, IQPanel and IQHubhttps://www.cisa.gov/news-events/ics-advisories/icsa-25-350-02Verified
- Johnson Controls Product Security Advisorieshttps://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisoriesVerified
- NVD - CVE-2025-61738https://nvd.nist.gov/vuln/detail/CVE-2025-61738Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
CNSF controls such as Zero Trust Segmentation, inline encrypted traffic enforcement, east-west traffic security, and threat detection could have segmented vulnerable devices, prevented packet tampering, detected anomalies, and blocked unauthorized east-west and outbound traffic — thereby constraining the attack at multiple stages.
Control: Encrypted Traffic (HPE)
Mitigation: Prevents interception and manipulation of data in transit.
Control: Inline IPS (Suricata)
Mitigation: Detects and blocks replay or signature-based exploit attempts.
Control: East-West Traffic Security
Mitigation: Limits lateral traversal and device-to-device abuse.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Detects and blocks unauthorized command channels in real time.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents exfiltration of sensitive data to external or unauthorized destinations.
Limits blast radius and restricts unauthorized commands to only impacted devices.
Impact at a Glance
Affected Business Functions
- Security Monitoring
- Access Control
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive security configurations and unauthorized access to control systems.
Recommended Actions
Key Takeaways & Next Steps
- • Mandate line-rate encrypted traffic (MACsec/IPsec) between all IoT/OT devices to prevent sensitive information exposure in transit.
- • Deploy east-west microsegmentation and identity-based controls to isolate IoT/OT assets and block lateral movement.
- • Integrate inline IPS and real-time anomaly detection to identify and halt replay, injection, or protocol manipulation attempts.
- • Enforce granular egress security policies to block unauthorized outbound data flows and detect exfiltration channels.
- • Regularly update cryptographic protocols on all devices, monitor for anomalous behaviors, and restrict access during sensitive provisioning events.
