Johnson Controls Software House iSTAR Configuration Utility (ICU) Tool
Act Now9.8ICS-CERT ICSA-25-114-05Apr 24, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Johnson Controls Software House iSTAR Configuration Utility (ICU) Tool contains a buffer overflow vulnerability (CWE-121) in versions prior to 6.9.5 that allows arbitrary code execution. The vulnerability has a CVSS score of 9.8, indicating critical severity with high impact on confidentiality, integrity, and availability.
What this means
What could happen
An attacker could execute arbitrary code on the ICU configuration tool, potentially gaining control of building automation system settings, access credentials, or the ability to reconfigure critical HVAC, fire, and security systems across networked Johnson Controls equipment.
Who's at risk
Energy sector organizations using Johnson Controls Software House iSTAR Configuration Utility (ICU) for building automation system management, including facility managers and engineers responsible for HVAC, fire safety, and security system configuration at power plants, utility data centers, and critical infrastructure facilities.
How it could be exploited
An attacker with network access to the ICU tool (typically a configuration workstation connected to the building automation network) could send specially crafted input that triggers a buffer overflow in the application, allowing them to inject and execute arbitrary commands with the privileges of the ICU process.
Prerequisites
- Network access to the ICU tool or the workstation running it
- No authentication required to trigger the vulnerability
- The vulnerable version (prior to 6.9.5) must be installed and accessible
remotely exploitableno authentication requiredlow complexitycritical CVSS score (9.8)buffer overflow allows arbitrary code executionaffects building automation and control systems
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (1)
ProductAffected VersionsFix Status
ICU: <6.9.5<6.9.56.9.5
Remediation & Mitigation
0/4
Do now
0/3HARDENINGIsolate ICU configuration workstations and the building automation network from the internet and business network using firewalls and network segmentation
HARDENINGRestrict network access to ICU tools to only authorized engineering and maintenance personnel using firewall rules or access control lists
WORKAROUNDIf remote access to ICU is required, use a VPN with the most current security updates and restrict access to specific authorized users
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpgrade ICU to version 6.9.5 or greater
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/dbd04cc3-55c0-4dc1-be1b-a2db0216c903