CVE-2025-61740 is a vulnerability categorized under CWE-346 (Origin Validation Error) affecting multiple Johnson Controls products including IQ Panels2, IQ Panels2+, IQHub, IQPanel 4, and PowerG. The core issue is an authentication flaw where the affected devices do not properly verify the origin of received packets. This lack of source validation means that an attacker on an adjacent network or with access to the same network segment can send crafted packets to the device, which the device will accept as legitimate. Exploiting this flaw, an attacker can either cause a denial-of-service (DoS) condition by disrupting normal device operation or modify the device’s configuration settings without any authentication or user interaction. The vulnerability has a CVSS 4.0 score of 7.2, reflecting a high severity due to the combination of low attack complexity, no required privileges or user interaction, and significant impact on integrity and availability. The attack vector is adjacent network (AV:A), meaning the attacker must be on the same local network or within radio range if wireless. The vulnerability affects critical building security and automation systems, which are often integrated into physical security and facility management infrastructures. No patches or known exploits are currently available, but the risk remains significant given the potential for disruption or unauthorized control of security devices. The vulnerability’s presence in widely deployed building management panels makes it a concern for organizations relying on Johnson Controls products for physical security and automation.

For European organizations, this vulnerability poses a significant risk to the integrity and availability of building security and automation systems. Successful exploitation could lead to unauthorized modification of security panel configurations, potentially disabling alarms, altering access controls, or disrupting monitoring functions. This could facilitate physical security breaches or operational disruptions. The denial-of-service potential could cause outages in critical building management systems, impacting safety and operational continuity. Organizations in sectors such as commercial real estate, critical infrastructure, healthcare, and government facilities are particularly vulnerable due to their reliance on these systems for security and operational control. The lack of authentication and user interaction requirements lowers the barrier for attackers, increasing the likelihood of exploitation in environments where network segmentation or monitoring is insufficient. The impact extends beyond individual facilities to potentially affect multi-site operations and integrated security environments common in European enterprises.

1. Network Segmentation: Isolate Johnson Controls IQ Panels and related devices on dedicated VLANs or network segments with strict access controls to limit exposure to untrusted networks. 2. Access Control Lists (ACLs): Implement ACLs on network devices to restrict traffic to and from the affected panels only to trusted management systems and authorized personnel. 3. Monitoring and Logging: Deploy network monitoring solutions to detect anomalous packets or traffic patterns targeting these devices, enabling early detection of exploitation attempts. 4. Vendor Coordination: Maintain close communication with Johnson Controls for timely receipt and deployment of security patches or firmware updates addressing this vulnerability. 5. Physical Security: Ensure physical access to affected devices is controlled to prevent local exploitation or tampering. 6. Incident Response Preparedness: Develop and test incident response plans specific to potential disruptions or compromises of building management systems. 7. Wireless Security: For PowerG wireless devices, ensure robust wireless encryption and authentication mechanisms are in place to reduce risk from wireless attack vectors. 8. Configuration Auditing: Regularly audit device configurations for unauthorized changes and enforce configuration management policies. These measures go beyond generic advice by focusing on network architecture, monitoring, and operational readiness tailored to the affected products and their deployment contexts.