CVE-2025-61739 is a cryptographic vulnerability classified under CWE-323, which involves the reuse of a nonce-key pair during encryption in Johnson Controls' IQ Panels2, IQ Panels 2+, IQHub, IQPanel 4, and PowerG products. Nonces (numbers used once) are critical in encryption protocols to ensure that each encrypted message is unique and resistant to replay or cryptanalysis attacks. Reusing a nonce with the same key undermines the cryptographic strength, allowing attackers to decrypt previously captured encrypted packets or replay them to manipulate device behavior. This vulnerability does not require authentication or user interaction, making it easier to exploit remotely if attackers can capture network traffic. The CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:N) indicates that the attack requires adjacent network access, has low complexity, no privileges or user interaction, and impacts confidentiality and integrity significantly, with limited availability impact. The affected products are widely used in building automation and security systems, which control access, alarms, and environmental controls. Exploitation could lead to unauthorized access, data leakage, or manipulation of security functions, potentially compromising physical security and safety. No patches are currently available, and no exploits have been observed in the wild, but the vulnerability poses a serious risk due to the nature of the cryptographic flaw and the critical role of these devices in security infrastructure.

For European organizations, the impact of CVE-2025-61739 can be substantial. Johnson Controls' IQ Panels and related products are commonly deployed in commercial buildings, critical infrastructure, and smart building environments across Europe. Exploitation could allow attackers to decrypt sensitive communications, gaining insight into security system configurations or user credentials. Replay attacks could manipulate alarm states or access controls, potentially disabling security measures or triggering false alarms. This undermines both physical and cybersecurity postures, increasing risks of unauthorized entry, data breaches, and operational disruptions. Organizations in sectors such as finance, healthcare, government, and large commercial real estate are particularly vulnerable due to their reliance on these systems for secure building management. The vulnerability also raises compliance concerns under GDPR and other data protection regulations if personal or sensitive data is exposed. Given the lack of patches, the risk window remains open, necessitating immediate compensating controls to reduce exposure.

1. Johnson Controls should prioritize releasing firmware or software updates that enforce unique nonce generation per encryption session to eliminate nonce reuse. 2. Until patches are available, organizations should segment networks to isolate IQ Panels and related devices from broader corporate networks, limiting attacker access to adjacent network segments only. 3. Implement strict access controls and monitoring on networks hosting these devices to detect anomalous traffic patterns indicative of replay attacks or decryption attempts. 4. Employ network encryption and VPNs to protect communications to and from these devices, reducing the risk of packet capture. 5. Regularly audit device configurations and logs for signs of tampering or unauthorized access. 6. Coordinate with Johnson Controls support for any available interim mitigations or recommended configurations. 7. Educate security teams about this vulnerability to ensure rapid detection and response to potential exploitation attempts. 8. Consider temporary physical security enhancements to compensate for potential electronic control weaknesses.