Johnson Controls OpenBlue Mobile Web Application for OpenBlue Workplace

Act Now9.3ICS-CERT ICSA-25-338-03Dec 4, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

OpenBlue Mobile Web Application for OpenBlue Workplace contains an authentication bypass vulnerability (CWE-425) in versions 2025.1.2 and earlier. An unauthenticated attacker can exploit this to gain unauthorized access to sensitive information including building operations data, system configurations, and occupancy details. The vulnerability affects the mobile web interface endpoint and allows complete bypass of access controls. No public exploitation has been reported, but the vulnerability is readily exploitable and could expose facility management data and operational status to unauthorized parties.

What this means

What could happen

An attacker could gain unauthorized access to sensitive information in OpenBlue Workplace, potentially exposing building operations data, occupancy information, and system configurations without authentication.

Who's at risk

Facility managers and building operations staff using Johnson Controls OpenBlue Workplace Mobile Web Application for HVAC, lighting, access control, and other building system monitoring and management. This affects hospitals, office buildings, data centers, manufacturing facilities, and any organization using OpenBlue for building automation.

How it could be exploited

An attacker on the network (or from the internet if the web application is exposed) sends unauthenticated requests to the OpenBlue Mobile Web Application endpoint. The vulnerability allows bypass of authentication controls, granting access to sensitive information available through the mobile interface without providing valid credentials.

Prerequisites

Network access to the OpenBlue Mobile Web Application (typically port 80/443)
The mobile application must be enabled in IIS (default)
No valid credentials required

Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS score (9.3)Authentication bypassSensitive information exposure

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

OpenBlue Mobile Web Application for OpenBlue Workplace: <=2025.1.2≤ 2025.1.22025.1.3

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDDisable the Mobile Application in Microsoft Internet Information Services (IIS) at the application pool level as an interim workaround

WORKAROUNDUse the primary OpenBlue Workplace web interface instead of the mobile application for required functionality

HARDENINGEnsure OpenBlue web application is not directly accessible from the internet; place behind firewall and require VPN for remote access

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade OpenBlue Mobile Web Application to patch level 2025.1.3 or above when available from Johnson Controls

Long-term hardening

0/1

HARDENINGIsolate building management networks from corporate business networks to limit lateral movement if compromised

CVEs (1)

CVE-2025-26381

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3a0ceeef-0b0c-4975-8446-d06f9aaef595