PT-2025-49245 · Johnson Controls · Openblue Mobile Web Application+1
Published
2025-12-05
·
Updated
2025-12-17
·
CVE-2025-26381
CVSS v4.0
6.5
Medium
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:U |
Name of the Vulnerable Software and Affected Versions
Johnson Controls OpenBlue Mobile Web Application for OpenBlue Workplace versions 2025.1.2 and prior
Description
Johnson Controls OpenBlue Mobile Web Application for OpenBlue Workplace versions 2025.1.2 and prior are susceptible to a Direct Request ('Forced Browsing') issue. This could allow an attacker to gain unauthorized access to sensitive information. Successful exploitation may lead to exposure of sensitive data without authentication or user interaction.
Recommendations
Upgrade to version 2025.1.3 or above to mitigate the vulnerability.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openblue Mobile Web Application
Openblue Workplace