OTPulse
FeedAboutContact

Johnson Controls FX Server, FX80 and FX90 (Update A)

Plan Patch7.7ICS-CERT ICSA-25-219-02Aug 7, 2025
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

A vulnerability in Johnson Controls FX Server, FX80, and FX90 devices allows an authenticated attacker to compromise configuration files. The affected versions include FX_14.10.10 and earlier, and FX_14.14.1 and earlier. Exploitation of this vulnerability could trigger additional vulnerabilities (CVE-2025-3936 through CVE-2025-3945) that may further impact device operation. The vulnerability is classified as high severity (CVSS 7.7) due to the confidentiality impact and broad scope of potential consequences.

What this means
What could happen
An attacker with user-level access could read and potentially modify configuration files on FX Server, FX80, or FX90 devices, compromising their settings and potentially triggering cascading vulnerabilities that could disrupt building automation operations.
Who's at risk
Building automation operators and facilities managers relying on Johnson Controls FX Server, FX80, or FX90 controllers for HVAC, lighting, and other mechanical systems. This affects anyone managing these platforms in commercial buildings, campuses, or critical infrastructure facilities.
How it could be exploited
An attacker must first obtain user-level credentials or access to the FX device (either through a compromised engineering workstation on the same network or via remote access). Once authenticated, the attacker can exploit the configuration file access vulnerability to read sensitive settings or inject malicious configurations that alter device behavior.
Prerequisites
  • Valid user-level credentials for the FX device or FX Server
  • Network access to the FX device (port 502 Modbus TCP or administrative interface)
  • Access to the device's configuration management interface
Requires valid credentials (not completely unauthenticated)Low attack complexityConfiguration files are sensitive (could enable follow-on attacks)Can affect system integrity and availability indirectly through cascading CVEs
Affected products (6)
6 with fix
ProductAffected VersionsFix Status
FX80: <=FX_14.10.10≤ FX 14.10.10FX_14.10.11 or FX_14.14.2
FX Server: <=FX_14.10.10≤ FX 14.10.10FX_14.10.11 or FX_14.14.2
FX Server: <=FX_14.14.1≤ FX 14.14.1FX_14.10.11 or FX_14.14.2
FX80: <=FX_14.14.1≤ FX 14.14.1FX_14.10.11 or FX_14.14.2
FX90: <=FX_14.10.10≤ FX 14.10.10FX_14.10.11 or FX_14.14.2
FX90: <=FX_14.14.1≤ FX 14.14.1FX_14.10.11 or FX_14.14.2
Remediation & Mitigation
0/5
Do now
0/1
HARDENINGRestrict network access to FX devices using firewall rules; ensure they are not directly accessible from the internet or business networks
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXApply firmware patch 14.10.11 for systems running FX_14.10.10 or earlier
HOTFIXApply firmware patch 14.14.2 for systems running FX_14.14.1 or earlier
Long-term hardening
0/2
HARDENINGImplement network segmentation to isolate FX devices and FX Server from non-critical systems
HARDENINGWhere remote access is required, enforce VPN access with multi-factor authentication and keep VPN software current
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/2b5f4c1e-7907-43c0-9a8d-31bb402f07ce
Johnson Controls FX Server, FX80 and FX90 (Update A) | CVSS 7.7 - OTPulse