CVE-2025-26381 - Vulnerability Details - OpenCVE

Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Johnsoncontrols	Openblue Workplace

No data.

No data.

References

Link	Providers
https://https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-03
https://tyco.widen.net/view/pdf/xmejieec4b/JCI-PSA-2025-05.pdf?t.download=true&u=aiurfs

History

Thu, 18 Dec 2025 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Johnsoncontrols Johnsoncontrols openblue Workplace
Vendors & Products		Johnsoncontrols Johnsoncontrols openblue Workplace

Wed, 17 Dec 2025 16:30:00 +0000

Type	Values Removed	Values Added
Description		Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information.
Title		OpenBlue Mobile Web Application configuration issue for optional for OpenBlue Workplace (formerly FM Systems)
Weaknesses		CWE-425
References		https://https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-03 https://tyco.widen.net/view/pdf/xmejieec4b/JCI-PSA-2025-05.pdf?t.download=true&u=aiurfs
Metrics		cvssV4_0 `{'score': 6.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:U'}`

MITRE

Status: PUBLISHED

Assigner: jci

Published: 2025-12-17T16:13:38.069Z

Updated: 2025-12-17T16:45:49.543Z

Reserved: 2025-02-07T14:15:53.880Z

Link: CVE-2025-26381

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2025-12-17T17:15:48.697

Modified: 2025-12-18T15:07:42.550

Link: CVE-2025-26381

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-26381", "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "state": "PUBLISHED", "assignerShortName": "jci", "dateReserved": "2025-02-07T14:15:53.880Z", "datePublished": "2025-12-17T16:13:38.069Z", "dateUpdated": "2025-12-17T16:45:49.543Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "OpenBlue Workplace (formerly FM Systems)", "vendor": "Johnson Controls", "versions": [{"lessThanOrEqual": "2025.1.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "datePublic": "2025-12-04T16:12:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information.</span>"}], "value": "Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information."}], "impacts": [{"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 6.5, "baseSeverity": "MEDIUM", "exploitMaturity": "UNREPORTED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:U", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-425", "description": "CWE-425 Direct Request ('Forced Browsing')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01", "shortName": "jci", "dateUpdated": "2025-12-17T16:13:38.069Z"}, "references": [{"url": "https://https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-03"}, {"url": "https://tyco.widen.net/view/pdf/xmejieec4b/JCI-PSA-2025-05.pdf?t.download=true&u=aiurfs"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<ul><li>Upgrade to patch level 2025.1.3 or above when available. Note: When this patch is applied, skip the below two steps.</li><li>Disable the Mobile Application in Microsoft Internet Information Services (IIS) or Disable the mobile application within Microsoft Internet Information Services (IIS) at the application pool level.</li><li>Use the primary OpenBlue Workplace web interface: To complete the tasks you've previously accomplished in OpenBlue Workplace Mobile interface, the primary Workplace web interface provides a subset of the Mobile functionality and is available here: [base url]/FMInteract/Default.aspx?DashboardType=Homepage.</li></ul>\n\n<br>"}], "value": "* Upgrade to patch level 2025.1.3 or above when available. Note: When this patch is applied, skip the below two steps.\n * Disable the Mobile Application in Microsoft Internet Information Services (IIS) or Disable the mobile application within Microsoft Internet Information Services (IIS) at the application pool level.\n * Use the primary OpenBlue Workplace web interface: To complete the tasks you've previously accomplished in OpenBlue Workplace Mobile interface, the primary Workplace web interface provides a subset of the Mobile functionality and is available here: [base url]/FMInteract/Default.aspx?DashboardType=Homepage."}], "source": {"discovery": "UNKNOWN"}, "title": "OpenBlue Mobile Web Application configuration issue for optional for OpenBlue Workplace (formerly FM Systems)", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-17T16:45:41.544710Z", "id": "CVE-2025-26381", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-17T16:45:49.543Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information."}], "id": "CVE-2025-26381", "lastModified": "2025-12-18T15:07:42.550", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "productsecurity@jci.com", "type": "Secondary"}]}, "published": "2025-12-17T17:15:48.697", "references": [{"source": "productsecurity@jci.com", "url": "https://https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-03"}, {"source": "productsecurity@jci.com", "url": "https://tyco.widen.net/view/pdf/xmejieec4b/JCI-PSA-2025-05.pdf?t.download=true&u=aiurfs"}], "sourceIdentifier": "productsecurity@jci.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-425"}], "source": "productsecurity@jci.com", "type": "Secondary"}]}