Unauthorized Access Vulnerability in JCI Products by Johnson Controls
CVE-2025-26381

6.5MEDIUM

Key Information:

Vendor: Johnson Controls
Status: Openblue Workplace (formerly Fm Systems)
Vendor: CVE Published:; 17 December 2025

🔔 Create Johnson Controls Vulnerability Alert

What is CVE-2025-26381?

This vulnerability permits attackers to potentially exploit security loopholes in JCI products, leading to unauthorized access to sensitive information. If successfully exploited, attackers can leverage this access to compromise system integrity and confidentiality. Organizations utilizing JCI products must be aware of this risk and take appropriate measures to protect their systems.

Affected Version(s)

OpenBlue Workplace (formerly FM Systems) 0 <= 2025.1.2

References

https://https://www.cisa.gov/news-events/ics-advisories/i...

https://tyco.widen.net/view/pdf/xmejieec4b/JCI-PSA-2025-0...

CVSS V4

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 17, 2025
Vulnerability Reserved
Feb 7, 2025

JSON