Johnson Controls FX Server, FX80 and FX90 (Update A)

Plan PatchCVSS 7.7ICS-CERT ICSA-25-219-02Aug 7, 2025

Johnson Controls

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

CVE-2025-43867 is an improper access control vulnerability (CWE-1395) in Johnson Controls FX Server, FX80, and FX90 building automation controllers. An authenticated attacker can compromise device configuration files, potentially altering facility control logic. The vulnerability affects all versions up to FX_14.10.10 and FX_14.14.1. Johnson Controls has released patches (FX_14.10.11 and FX_14.14.2). No active exploitation has been reported as of this advisory.

What this means

What could happen

An attacker with valid credentials could access and modify the FX Server/FX80/FX90 configuration files, potentially disrupting building automation logic, overriding HVAC setpoints, or disabling fire/life safety interlocks.

Who's at risk

Building automation system operators using Johnson Controls FX Server, FX80, or FX90 should prioritize this update. These devices are critical in HVAC control, fire alarm integration, and facility management systems. Anyone managing institutional facilities (hospitals, schools, offices, data centers) relying on these systems is affected.

How it could be exploited

An attacker with valid engineering credentials accesses the FX Server or FX80/FX90 device over the network using a legitimate management interface, then leverages an insecure configuration file handling mechanism to read or modify critical device settings without further authorization checks.

Prerequisites

Valid FX engineering or administrator credentials
Network access to FX Server/FX80/FX90 management interface (typically port 80/443)
Device running FX_14.10.10 or earlier, or FX_14.14.1 or earlier

Remotely exploitable over networkRequires valid engineering credentials (not default)Low attack complexityHigh impact on configuration integrityAffects safety system interlocks in some deployments

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

FX80: <=FX_14.10.10≤ FX 14.10.10FX_14.10.11 or FX_14.14.2

FX Server: <=FX_14.10.10≤ FX 14.10.10FX_14.10.11 or FX_14.14.2

FX Server: <=FX_14.14.1≤ FX 14.14.1FX_14.10.11 or FX_14.14.2

FX80: <=FX_14.14.1≤ FX 14.14.1FX_14.10.11 or FX_14.14.2

FX90: <=FX_14.10.10≤ FX 14.10.10FX_14.10.11 or FX_14.14.2

FX90: <=FX_14.14.1≤ FX 14.14.1FX_14.10.11 or FX_14.14.2

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to FX Server/FX80/FX90 management ports to authorized engineering workstations only; implement firewall rules to block unauthorized network paths

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FX Server and FX80/FX90 devices to version FX_14.10.11 or FX_14.14.2 via the Johnson Controls software portal

HARDENINGReview and audit FX device credential policies; remove or disable unused engineering accounts and enforce strong password requirements

Long-term hardening

0/2

HARDENINGDisable direct internet-facing access to FX device management interfaces; route all remote access through a VPN with multi-factor authentication

HARDENINGImplement network segmentation to isolate FX Server and FX80/FX90 devices from business networks and untrusted systems

CVEs (1)

CVE-2025-43867

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2b5f4c1e-7907-43c0-9a8d-31bb402f07ce

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.