Johnson Controls PowerG, IQPanel & IQHub Vulnerabilities Expose Encrypted Traffic Risks
CISA advisory reveals critical flaws in Johnson Controls PowerG, IQPanel, and IQHub allowing encrypted traffic manipulation and replay attacks. Patch immediately.
Johnson Controls PowerG, IQPanel & IQHub Vulnerabilities Disclosed
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory detailing critical vulnerabilities in Johnson Controls' PowerG, IQPanel, and IQHub product lines. Successful exploitation of these flaws could enable attackers to read or write encrypted traffic or conduct replay attacks against affected systems.
Technical Details
The vulnerabilities affect the following Johnson Controls products:
- PowerG wireless communication devices
- IQPanel security control panels
- IQHub smart home controllers
According to CISA's advisory ICSA-25-350-02, the flaws stem from improper implementation of cryptographic protocols in the affected devices. While specific CVE identifiers were not disclosed in the initial advisory, the vulnerabilities allow:
- Unauthorized decryption of encrypted communications
- Traffic manipulation through encrypted channel injection
- Replay attacks using captured encrypted packets
The advisory references a CSAF document containing machine-readable vulnerability details for automated processing.
Impact Analysis
These vulnerabilities pose significant risks to organizations using affected Johnson Controls products, particularly in:
- Critical infrastructure facilities where PowerG devices monitor physical security
- Commercial buildings utilizing IQPanel for access control and environmental systems
- Smart home deployments with IQHub controllers managing IoT ecosystems
Successful exploitation could lead to:
- Unauthorized physical access through manipulated security systems
- Disruption of building automation and environmental controls
- Compromise of integrated IoT devices through replay attacks
- Potential lateral movement within OT networks
Recommendations
CISA urges organizations to:
- Review the advisory (ICSA-25-350-02) immediately
- Consult the CSAF document for technical vulnerability details
- Apply available patches from Johnson Controls as soon as they become available
- Monitor encrypted traffic for unusual patterns or replay attempts
- Segment networks containing affected devices to limit potential lateral movement
- Implement compensating controls if patches cannot be immediately applied
Security teams should prioritize these vulnerabilities given their potential impact on physical security systems and building automation infrastructure. The advisory emphasizes the importance of maintaining secure cryptographic implementations in operational technology environments.
For ongoing updates, security professionals should monitor CISA's ICS Advisories page and Johnson Controls' security bulletins.