1. EXECUTIVE SUMMARY
- CVSS v4 6.5
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Johnson Controls Inc.
- Equipment: OpenBlue Mobile Web Application for OpenBlue Workplace
- Vulnerability: Direct Request (‘Forced Browsing’)
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Johnson Controls OpenBlue Mobile Web Application for OpenBlue Workplace are affected:
- OpenBlue Mobile Web Application for OpenBlue Workplace: Version 2025.1.2 and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 DIRECT REQUEST (‘FORCED BROWSING’) CWE-425
Johnson Controls OpenBlue Mobile Web Application for OpenBlue Workplace versions 2025.1.2 and prior are vulnerable to a Direct Request exploit that could allow an attacker to gain unauthorized access to sensitive information.
CVE-2025-26381 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2025-26381. A base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:U).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy, Government Services and Facili
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from All CISA AdvisoriesRead the original article: