The Cybersecurity and Infrastructure Security Agency (CISA) issues a significant alert regarding industrial control systems, specifically focusing on vulnerabilities in Qolsys IQ Panel 4 and IQ4 Hub. The identified vulnerability, labeled as “Exposure of Sensitive Information to an Unauthorized Actor,” poses a considerable risk with a CVSS v3 score of 7.3. Successful exploitation of this vulnerability could grant unauthorized access to critical settings within the panel software.
The affected products include Qolsys IQ Panel 4 (versions prior to 4.4.2) and IQ4 Hub (versions prior to 4.4.2). CISA recommends immediate mitigation measures provided by Johnson Controls, the parent company of Qolsys. Users are strongly advised to upgrade their IQ Panel 4 and IQ4 Hub to version 4.4.2. The firmware update can be deployed remotely or manually loaded by applying the designated patch tag “iqpanel4.4.2.” CISA further emphasizes the need to minimize network exposure for control system devices, isolate them from the internet, and implement secure remote access methods such as Virtual Private Networks (VPNs).
