Johnson Controls Software House iSTAR Configuration Utility (ICU) Tool

Plan PatchCVSS 9.8ICS-CERT ICSA-25-114-05Apr 24, 2025

Johnson ControlsEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A stack-based buffer overflow vulnerability in Johnson Controls Software House iSTAR Configuration Utility (ICU) allows unauthenticated network-based attackers to execute arbitrary code. The vulnerability exists in versions prior to 6.9.5 and is remotely exploitable with no user interaction required. Successful exploitation could allow an attacker to run arbitrary commands on the system running ICU, potentially allowing modification or disruption of building automation configurations across interconnected systems.

What this means

What could happen

An attacker with network access to the ICU tool could execute arbitrary code, potentially allowing them to modify or disable building automation configurations, which could affect HVAC, lighting, access control, and fire safety system settings across the building or facility.

Who's at risk

Building automation system administrators and facilities managers at energy and commercial facilities using Johnson Controls ICU tool for configuring and managing building systems like HVAC, lighting, and access controls. This affects any organization where ICU versions prior to 6.9.5 are deployed on networks with any level of connectivity.

How it could be exploited

An attacker on the network where ICU is installed or remotely accessible sends a specially crafted request to the ICU service. The vulnerability in how ICU handles input allows the attacker to execute arbitrary code on the system running ICU with the same privileges as the service.

Prerequisites

Network access to the ICU service port (typically HTTP/HTTPS)
ICU version prior to 6.9.5 deployed and running
No authentication required to exploit

remotely exploitableno authentication requiredlow complexitycritical CVSS score (9.8)affects safety and operational systemsbuilding automation control

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (1)

ProductAffected VersionsFix Status

ICU: <6.9.5<6.9.56.9.5

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to ICU administrative interface to authorized engineering workstations only using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade ICU to Version 6.9.5 or later

Long-term hardening

0/2

HARDENINGIsolate the building automation network from business networks using a firewall or network segmentation

HARDENINGIf remote access to ICU is required, require use of a VPN with current security patches

CVEs (1)

CVE-2025-26382

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dbd04cc3-55c0-4dc1-be1b-a2db0216c903

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.