CVE-2025-61738 is a security vulnerability classified under CWE-319, which concerns the cleartext transmission of sensitive information. This vulnerability affects several Johnson Controls products, including IQPanel2, IQHub, IQPanel2+, IQPanel 4, and the PowerG wireless protocol used within these systems. Under specific conditions, an attacker with network access can intercept communications and capture the network key transmitted in cleartext. Possession of this key enables the attacker to decrypt, read, or even inject encrypted packets on the PowerG network, potentially compromising the confidentiality and integrity of the wireless communication. The vulnerability does not require any privileges or authentication but does require user interaction, and the attack complexity is high, which limits the ease of exploitation. The CVSS 4.0 base score is 2.3, indicating a low severity primarily due to the difficulty of exploitation and limited scope. No known exploits have been reported in the wild, and no patches have been published yet. The vulnerability arises from insecure transmission practices within the affected devices' network communication stack, exposing sensitive cryptographic material. This could lead to unauthorized access or manipulation of security system communications, undermining the trustworthiness of the affected control panels and their wireless networks.

For European organizations, the primary impact of this vulnerability lies in the potential compromise of confidentiality within security and automation systems using Johnson Controls' PowerG wireless protocol. Attackers who capture the network key could eavesdrop on sensitive communications or inject malicious commands, potentially disrupting security monitoring or control functions. This could lead to unauthorized disarming of alarms, false alarms, or manipulation of building automation systems. While the vulnerability does not directly affect system availability or require elevated privileges, the breach of confidentiality could undermine trust in physical security infrastructure. Sectors such as critical infrastructure, government facilities, commercial real estate, and smart buildings that rely on these products are at higher risk. The low CVSS score suggests limited immediate risk, but the potential for targeted attacks in high-value environments remains. The absence of patches means organizations must rely on compensating controls until vendor fixes are available.

Organizations should implement network segmentation to isolate Johnson Controls devices from untrusted or public networks, reducing the risk of interception. Employ strong physical security controls to prevent attackers from gaining local network access. Monitor network traffic for unusual patterns or unauthorized devices attempting to communicate with PowerG networks. Disable or limit wireless communication features where feasible, or switch to wired alternatives if possible. Engage with Johnson Controls to obtain timelines for patches or firmware updates addressing this vulnerability and apply them promptly once available. Educate users on the risks of interacting with these devices in insecure environments to minimize user interaction exploitation. Consider deploying additional encryption or VPN tunnels around vulnerable devices to protect transmitted data. Regularly audit and update security policies related to building automation and security systems to incorporate awareness of this vulnerability.