Johnson Controls PowerG, IQPanel and IQHub (Update A)

Plan Patch7.6ICS-CERT ICSA-25-350-02Dec 16, 2025

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Johnson Controls PowerG, IQPanel and IQHub contain vulnerabilities in wireless security protocols that allow attackers to read or write encrypted traffic or perform replay attacks. The vulnerabilities affect PowerG version 53.02 and below, all versions of IQHub, IQPanel 2, IQPanel 2+, and IQPanel 4 versions below 4.6.1. Successful exploitation could compromise the confidentiality and integrity of wireless communication between control panels and sensors.

What this means

What could happen

An attacker within wireless range could intercept and decrypt traffic between your panel and sensors, potentially reading sensor data or injecting commands to alter system behavior. This could affect alarm systems, access control, or other integrated building controls.

Who's at risk

Johnson Controls security system integrators and building owners using PowerG wireless sensors and IQ Panel controllers in energy facilities, transportation systems, and commercial buildings. This affects installations relying on PowerG wireless sensors for alarm, access control, or process monitoring. End-of-life products (IQPanel 2, IQPanel 2+, IQHub) are most vulnerable with no patches available.

How it could be exploited

An attacker with physical proximity to the building (within wireless range) can capture and decrypt PowerG wireless traffic using the weak encryption scheme, or replay previously captured wireless messages. No special credentials or authentication are required—the attacker only needs to be within range of the wireless network during or after device enrollment.

Prerequisites

Physical proximity to the building to receive the wireless signal (approximately 100+ feet depending on environment)
Ability to capture wireless frames during device enrollment or normal operation
No credentials required; wireless encryption keys can be compromised through protocol weaknesses

No authentication requiredLow complexity attackAffects security/access control systemsMost affected products have no patch availableDefault/weak wireless security on affected products

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (5)

2 with fix3 EOL

ProductAffected VersionsFix Status

IQPanel 2+: vers:all/*All versionsNo fix (EOL)

PowerG: <=53.02≤ 53.0253.05

IQPanel 4: <4.6.1<4.6.14.6.1

IQHub: vers:all/*All versionsNo fix (EOL)

IQPanel 2: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGDuring sensor enrollment, ensure PIN code is entered in the PIN Code field on the sensor enrollment screen

HARDENINGRestrict wireless network access to only trusted devices; implement wireless network authentication and encryption at the router level

HARDENINGEnsure only authorized company personnel or integrators are present during installation, pairing, or enrollment processes

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate IQPanel 4 to firmware version 4.6.1 or later

HOTFIXUpdate PowerG devices to version 53.05 or later if PowerG+ support is available

Long-term hardening

0/1

HOTFIXFor end-of-life products (IQPanel 2, IQPanel 2+, IQHub), plan replacement with IQPanel 4 firmware 4.6.1 or later

CVEs (4)

CVE-2025-61738 CVE-2025-61739 CVE-2025-26379 CVE-2025-61740

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f74d16b5-8d1f-4251-8db1-e11b04c0eee2