Johnson Controls OpenBlue Mobile Web Application for OpenBlue Workplace

Plan PatchCVSS 9.3ICS-CERT ICSA-25-338-03Dec 4, 2025

Johnson Controls

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

OpenBlue Mobile Web Application for OpenBlue Workplace versions 2025.1.2 and earlier contain an authentication bypass vulnerability (CWE-425) that allows an unauthenticated attacker to access sensitive information. The vulnerability affects the Mobile Application interface, exposing facility management data such as building automation settings, occupancy information, and system configurations without requiring valid credentials. The primary Workplace web interface is not affected by this vulnerability. Johnson Controls has released a patch (version 2025.1.3) to address this issue.

What this means

What could happen

An attacker without credentials could gain unauthorized access to sensitive information in your OpenBlue Workplace facility management system, including occupancy data, building automation settings, and potentially energy management controls. This could expose operational details of your building systems or enable further reconnaissance for follow-on attacks.

Who's at risk

Facility managers and building operations teams using Johnson Controls OpenBlue Workplace for building automation and facility management. This affects organizations that rely on the Mobile Web Application for remote access to HVAC, lighting, energy management, and occupancy control systems in office buildings, campuses, or multi-site operations.

How it could be exploited

An attacker on the network (or from the internet if the OpenBlue Mobile Web Application is exposed) sends a specially crafted request to the Mobile Application without authentication. The application fails to properly validate access, allowing the attacker to retrieve sensitive information about your facility, building automation, or operational systems.

Prerequisites

Network access to the OpenBlue Mobile Web Application port (typically HTTP/HTTPS)
No authentication credentials required
Mobile Application must be deployed and enabled in IIS

remotely exploitableno authentication requiredlow complexityaffects facility control systemssensitive operational data exposure

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

OpenBlue Mobile Web Application for OpenBlue Workplace: <=2025.1.2≤ 2025.1.22025.1.3

Remediation & Mitigation

0/5

Do now

0/4

WORKAROUNDDisable the Mobile Application in Microsoft Internet Information Services (IIS) at the application pool level until patch 2025.1.3 is available

HARDENINGRestrict network access to the OpenBlue Mobile Web Application to authorized internal networks only using firewall rules

HARDENINGEnsure OpenBlue Workplace systems are not directly accessible from the internet; place behind firewalls and network segmentation

WORKAROUNDUse the primary OpenBlue Workplace web interface for operations instead of the Mobile Application until patched

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade OpenBlue Mobile Web Application to version 2025.1.3 or later

CVEs (1)

CVE-2025-26381

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3a0ceeef-0b0c-4975-8446-d06f9aaef595

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.