CVE-2025-26379 identifies a vulnerability in Johnson Controls' security products including IQ Panels2, IQ Panel 2+, IQHub, IQPanel 4, and PowerG wireless protocol devices. The root cause is the use of a cryptographically weak pseudo-random number generator (PRNG), classified under CWE-338. PRNGs are critical for generating cryptographic keys and nonces; a weak PRNG can produce predictable outputs, undermining encryption strength. In this case, the weak PRNG compromises the encryption of PowerG wireless packets, enabling attackers to potentially decrypt or forge packets. This could allow unauthorized reading of sensitive data transmitted over the wireless channel or injection of malicious commands to the security system. The vulnerability has an attack vector classified as adjacent network, meaning an attacker must be within wireless range to exploit it, but no privileges or user interaction are required. The impact on confidentiality is low to moderate due to limited scope, but integrity impact is high as attackers could manipulate control signals. Availability impact is low, as the vulnerability does not directly enable denial of service. The CVSS 4.0 vector indicates low complexity and no authentication needed, increasing exploitability. No public exploits are known yet, but the vulnerability affects widely deployed physical security products that protect premises and assets. The lack of available patches at publication heightens the urgency for mitigation through compensating controls.

For European organizations, this vulnerability poses a significant risk to physical security systems relying on Johnson Controls IQ Panels and PowerG wireless devices. Compromise of encrypted wireless communications could lead to unauthorized access to alarm systems, disabling or manipulating security controls, and potential data leakage. Critical infrastructure facilities, commercial buildings, and residential complexes using these products may experience breaches in security integrity. The impact extends to loss of trust in security systems, potential regulatory non-compliance regarding data protection and physical security, and increased risk of intrusion or sabotage. Given the wireless nature of the attack vector, organizations in dense urban environments or with accessible premises are particularly vulnerable. The inability to authenticate or require user interaction lowers the barrier for attackers with physical proximity. This could facilitate espionage, theft, or disruption of security operations, especially in sectors like finance, government, healthcare, and energy within Europe.

1. Apply vendor patches immediately once available to replace the weak PRNG with a cryptographically secure alternative. 2. Until patches are released, segment networks to isolate IQ Panels and PowerG devices from broader IT infrastructure and restrict wireless access. 3. Implement wireless intrusion detection systems (WIDS) to monitor for anomalous PowerG packet activity indicative of injection or replay attacks. 4. Physically secure premises to limit attacker proximity to wireless signals, including shielding or restricting access near devices. 5. Conduct regular security audits and penetration testing focused on wireless security controls. 6. Employ multi-factor authentication and layered security controls on alarm management systems to reduce impact if wireless encryption is compromised. 7. Maintain up-to-date asset inventories to identify all affected devices and prioritize remediation. 8. Collaborate with Johnson Controls support for guidance and updates on mitigation strategies. 9. Educate security personnel on recognizing signs of wireless attacks and incident response procedures specific to these devices.