Johnson Controls PowerG, IQPanel and IQHub (Update A)

Plan PatchCVSS 7.6ICS-CERT ICSA-25-350-02Dec 16, 2025

Johnson ControlsEnergyTransportation

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Johnson Controls PowerG, IQPanel 2, IQPanel 2+, IQPanel 4, and IQHub contain cryptographic and key generation weaknesses in their wireless security protocols. These vulnerabilities include improper randomness in key generation (CWE-338), weak encryption (CWE-319), and insufficient cryptographic strength (CWE-323). Exploitation could allow an attacker within wireless range to read encrypted traffic, modify encrypted communications, or replay captured wireless messages during device pairing and enrollment.

What this means

What could happen

An attacker within wireless range could intercept and decrypt communications between security system components, modify commands to alter system state, or replay captured wireless messages to manipulate sensor readings or disarm security functions. This could compromise intrusion detection, access control, or fire alarm systems that rely on these components.

Who's at risk

Security system integrators and building managers responsible for Johnson Controls wireless security systems. Specifically affects: energy facilities and transportation systems using IQPanel 2, IQPanel 2+, IQPanel 4, IQHub, or PowerG wireless sensors for intrusion detection, access control, fire alarm, or perimeter security. End-of-life products (IQPanel 2, IQPanel 2+, IQHub) with no vendor fixes are at highest risk.

How it could be exploited

An attacker positioned near the facility with wireless radio equipment could passively capture encrypted wireless traffic during device pairing or enrollment (when cryptographic handshakes occur). By exploiting weak key generation or poor randomness, the attacker can recover encryption keys or decrypt captured frames. With decrypted access, the attacker can forge or replay wireless messages to the security system, potentially disabling alarms or modifying access control logic.

Prerequisites

Physical proximity to facility (wireless range, typically 100-300 feet depending on antenna)
Ability to transmit wireless signals on the frequency used by PowerG/IQPanel devices
Access during device pairing or enrollment phase (when initial key exchange occurs)
No PIN code protection during enrollment, or ability to observe or guess PIN code

no patch available for 3 of 5 affected products (IQPanel 2, IQPanel 2+, IQHub)affects safety/security systems (alarms, access control)wireless attack surface requires only physical proximitylow complexity to exploit if attacker has radio equipmentweak cryptography may allow passive decryption without active interaction

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (5)

2 with fix3 EOL

ProductAffected VersionsFix Status

IQPanel 2+: vers:all/*All versionsNo fix (EOL)

PowerG: <=53.02≤ 53.0253.05

IQPanel 4: <4.6.1<4.6.14.6.1

IQHub: vers:all/*All versionsNo fix (EOL)

IQPanel 2: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

HARDENINGEnable PIN code protection during device enrollment and ensure only authorized personnel are present during installation, pairing, and enrollment phases

HARDENINGRestrict wireless network access to only trusted and authorized security system devices; implement wireless network access control lists if available on your network infrastructure

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate IQPanel 4 to firmware version 4.6.1 or later

HOTFIXUpdate PowerG devices to firmware version 53.05 or later (applies to devices supporting PowerG+)

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: IQPanel 2+: vers:all/*, IQHub: vers:all/*, IQPanel 2: vers:all/*. Apply the following compensating controls:

HARDENINGFor IQPanel 2, IQPanel 2+, and IQHub (no vendor fix available), replace end-of-life products with IQPanel 4 running firmware 4.6.1 or greater

HARDENINGReview wireless network coverage maps and consider reducing transmit power or relocating antennas to minimize wireless range beyond facility boundaries

CVEs (4)

CVE-2025-61738 CVE-2025-61739 CVE-2025-26379 CVE-2025-61740

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f74d16b5-8d1f-4251-8db1-e11b04c0eee2

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.