Johnson Controls iSTAR Configuration Utility (ICU) tool
Plan Patch7.4ICS-CERT ICSA-25-146-01May 27, 2025
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The ICU configuration utility contains a memory leak vulnerability that allows an attacker on the same network segment to read sensitive data from the utility process. This affects only the Windows PC where ICU is running and does not impact active iSTAR controllers. The vulnerability exists in ICU versions prior to 6.9.5. Johnson Controls states this utility is used only for legacy iSTAR controllers that are no longer manufactured or supported; it is not used to configure current iSTAR Ultra or G2 series controllers.
What this means
What could happen
An attacker who gains access to a Windows PC running the ICU configuration utility could read sensitive data from the utility's memory. This does not directly affect the iSTAR controllers themselves or plant operations, but could expose engineering credentials or configuration details stored on the engineering workstation.
Who's at risk
Organizations in the energy sector using the ICU tool to maintain legacy iSTAR controllers that are no longer manufactured. The vulnerability affects only the engineering workstation where ICU runs; it does not impact current iSTAR Ultra or G2 series controllers in your plants.
How it could be exploited
An attacker on the same network segment as the Windows PC running ICU can read memory from the utility process. This requires the attacker to have local or adjacent network access to the PC where ICU is installed and running.
Prerequisites
- Network access to the Windows PC running ICU (local area network or adjacent network segment)
- ICU must be installed and running on the target PC
- Attacker must have sufficient privileges to read process memory on that PC
Low attack complexityAdjacent network access requiredNo authentication bypassMemory disclosure vulnerability
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (1)
ProductAffected VersionsFix Status
ICU: <6.9.5<6.9.56.9.5
Remediation & Mitigation
0/4
Do now
0/3HARDENINGIsolate the engineering workstation running ICU from the business network using network segmentation or firewall rules
HARDENINGRestrict access to the Windows PC running ICU to authorized engineering personnel only
WORKAROUNDDisable ICU when not actively configuring legacy iSTAR systems
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate ICU to Version 6.9.5 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/400a3131-5260-41fa-a016-93268071f932