CVE-2025-61739
📋 TL;DR
This vulnerability involves nonce reuse in Johnson Controls Metasys products, allowing attackers to perform replay attacks or decrypt captured network packets. It affects building automation systems that use vulnerable versions of Metasys software and devices. Organizations using these systems for HVAC, security, or other building controls are at risk.
💻 Affected Systems
- Johnson Controls Metasys products
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could gain unauthorized control of building systems, manipulate environmental controls, disable security systems, or access sensitive building data through decrypted communications.
Likely Case
Attackers intercept and replay legitimate commands to manipulate building systems, potentially causing operational disruptions or unauthorized access to controlled areas.
If Mitigated
With proper network segmentation and monitoring, impact is limited to isolated building systems with minimal safety or security consequences.
🎯 Exploit Status
Exploitation requires network access to Metasys systems and understanding of the protocol. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Consult Johnson Controls advisory for specific patched versions
Vendor Advisory: https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories
Restart Required: Yes
Instructions:
1. Review Johnson Controls security advisory ICSA-25-350-02
2. Identify affected Metasys products in your environment
3. Apply vendor-provided patches or firmware updates
4. Restart affected systems as required
5. Verify patch implementation through testing
🔧 Temporary Workarounds
Network Segmentation
allIsolate Metasys systems from general corporate networks and internet access
Network Monitoring
allImplement network monitoring for unusual Metasys protocol traffic patterns
🧯 If You Can't Patch
- Implement strict network access controls to limit who can communicate with Metasys systems
- Deploy network intrusion detection systems to monitor for replay attack patterns
🔍 How to Verify
Check if Vulnerable:
Check system versions against Johnson Controls advisory and verify if Metasys products are in useCheck Version:
Consult Metasys system documentation for version checking procedures specific to your deploymentVerify Fix Applied:
Verify patch installation through version checks and test system functionality post-update📡 Detection & Monitoring
Log Indicators:
- Repeated identical commands in short timeframes
- Unexpected system state changes
- Authentication anomalies in building control logs
Network Indicators:
- Duplicate network packets with identical nonces
- Unusual timing patterns in Metasys protocol traffic
- Traffic from unexpected sources to building control systems
SIEM Query:
Search for repeated identical commands to Metasys systems within short time windows or from multiple source IPs