Johnson Controls iSTAR Configuration Utility (ICU) tool

Plan PatchCVSS 7.4ICS-CERT ICSA-25-146-01May 27, 2025

Johnson ControlsEnergy

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A use-after-free vulnerability (CWE-457) in Johnson Controls ICU tool allows an attacker on the same network to read memory from the ICU utility process. ICU is a configuration-only tool for legacy iSTAR controllers that are no longer manufactured or supported. The vulnerability does not impact the iSTAR controllers themselves, only the Windows PC running ICU. iSTAR Ultra and current iSTAR G2 series controllers are not affected.

What this means

What could happen

An attacker with network access to a Windows PC running the ICU tool could read sensitive data from system memory. This impacts only the configuration utility itself and the PC it runs on, not the iSTAR controllers being configured.

Who's at risk

Johnson Controls ICU (iSTAR Configuration Utility) operators who maintain legacy or out-of-production iSTAR systems. The advisory explicitly states this tool configures only discontinued products and does not affect current iSTAR Ultra or iSTAR G2 controllers. The vulnerability impacts only the Windows engineering workstation running ICU, not the controllers themselves.

How it could be exploited

An attacker on the same network segment as a Windows PC running an outdated ICU version could exploit an information disclosure vulnerability to read unencrypted credentials or configuration data from the ICU process memory.

Prerequisites

Network access to the Windows PC running ICU (same network segment)
ICU version prior to 6.9.5 must be installed
ICU process running in memory

information disclosure from unencrypted memoryaffects legacy systems no longer manufacturedlow EPSS score indicates exploitation complexitydoes not affect current production iSTAR controllers

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

ICU: <6.9.5<6.9.56.9.5

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ICU to version 6.9.5 or later

CVEs (1)

CVE-2025-26383

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/400a3131-5260-41fa-a016-93268071f932

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.