Qolsys IQ Panel 4, IQ4 HUB
Plan Patch7.3ICS-CERT ICSA-24-039-01Feb 8, 2024
Attack VectorPhysical
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Qolsys IQ Panel 4 and IQ4 Hub devices running firmware versions prior to 4.4.2 contain a vulnerability that allows unauthorized access to panel settings under certain circumstances. The vulnerability requires physical access to the device and could allow an attacker to bypass authentication controls and modify alarm system configurations, including disabling notifications or altering security parameters. Johnson Controls recommends upgrading to firmware version 4.4.2.
What this means
What could happen
An attacker with physical access to the device could bypass security controls and gain unauthorized access to alarm system settings, potentially disabling alerts or modifying system configurations that affect building safety.
Who's at risk
Security professionals and facilities managers at organizations using Qolsys alarm systems, particularly in buildings with integrated smart panel controls. This affects access control system integrators, commercial security installations, and building automation systems that rely on Qolsys IQ Panel 4 or IQ4 Hub devices for alarm management.
How it could be exploited
An attacker must have physical access to the Qolsys IQ Panel 4 or IQ4 Hub device. Once physically present, they can exploit the vulnerability to access settings without proper authentication, allowing them to reconfigure the alarm system or change security parameters.
Prerequisites
- Physical access to the IQ Panel 4 or IQ4 Hub device
- Device running firmware version prior to 4.4.2
- No authentication credentials required once physical access is obtained
Physical access required (lower remote risk)Affects security system settingsNo patch currently available for older versions in some deploymentsLow EPSS score (0.1%) indicates low likelihood of exploitation
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Qolsys IQ Panel 4: <4.4.2<4.4.24.4.2
Qolsys IQ4 Hub: <4.4.2<4.4.24.4.2
Remediation & Mitigation
0/3
Do now
0/1HARDENINGPhysically secure the IQ Panel 4 and IQ4 Hub devices to restrict unauthorized physical access in areas not under constant supervision
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpgrade IQ Panel 4 and IQ4 Hub firmware to version 4.4.2 or later using the remote firmware update capability or by applying patch tag 'iqpanel4.4.2' via the device firmware update page
Long-term hardening
0/1HARDENINGLocate alarm system devices behind firewalls and isolate them from internet-facing networks
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/7e3d20b4-4492-4e93-8842-7a2a13925132