Johnson Controls iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, iSTAR Edge G2 (Update A)

Plan PatchCVSS 8.8ICS-CERT ICSA-25-224-02Aug 12, 2025

Johnson Controls

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Johnson Controls iSTAR door controllers contain multiple command injection and access control vulnerabilities (CWE-78, CWE-349, CWE-1392, CWE-1299, CWE-922) that allow authenticated attackers to execute arbitrary commands and modify device firmware. Successful exploitation may allow an attacker to alter door access control logic, lock users in or out of secured areas, and persist changes through firmware modification. iSTAR Ultra and variants are vulnerable in versions prior to 6.9.8. iSTAR Edge G2 devices in all versions are affected and will not receive a vendor fix. The hardware manual requires iSTAR controllers be installed in restricted-access, protected areas to lower the risk of physical tampering.

What this means

What could happen

An attacker with authenticated network access to an iSTAR controller could execute arbitrary commands to modify firmware, alter door access control logic, or lock users in or out of secured areas. iSTAR Edge G2 devices have no patch available and remain vulnerable to firmware modification attacks.

Who's at risk

Organizations operating Johnson Controls iSTAR door controllers, including access control systems at facilities with physical security requirements (data centers, secure rooms, critical infrastructure buildings). iSTAR Ultra and variants have a vendor patch available. iSTAR Edge G2 has no patch available and will remain vulnerable.

How it could be exploited

An attacker with valid credentials and network access to the management interface could execute shell commands through a command injection vulnerability in the iSTAR controller. This allows direct modification of the device firmware and access control policies that govern physical security.

Prerequisites

Valid user credentials for the iSTAR controller management interface
Network access to the iSTAR controller on the management port
Authentication to the device (not unauthenticated)

Remotely exploitable with valid credentialsLow to moderate complexityAllows firmware modificationAffects physical security systemsiSTAR Edge G2 has no patch availableAuthenticated access required but administrator accounts may be shared or poorly managed

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (10)

8 with fix2 EOL

ProductAffected VersionsFix Status

iSTAR Ultra: <6.9.8<6.9.86.9.8

iSTAR Edge G2: <=6.9.2.CU02≤ 6.9.2.CU02No fix (EOL)

iSTAR Edge G2: vers:all/*All versionsNo fix (EOL)

iSTAR Ultra: <=6.9.2.CU02≤ 6.9.2.CU026.9.8

iSTAR Ultra SE: <=6.9.2.CU02≤ 6.9.2.CU026.9.8

iSTAR Ultra G2: <=6.9.2.CU02≤ 6.9.2.CU026.9.8

iSTAR Ultra G2 SE: <=6.9.2.CU02≤ 6.9.2.CU026.9.8

iSTAR Ultra SE: <6.9.8<6.9.86.9.8

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDDisable Pro Mode on iSTAR Ultra and iSTAR Ultra SE controllers; use Ultra Mode instead

HARDENINGRestrict network access to iSTAR controllers to authorized management workstations only using firewall rules or network segmentation

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate iSTAR Ultra, Ultra SE, Ultra G2, and Ultra G2 SE controllers to firmware version 6.9.8 or later

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: iSTAR Edge G2: <=6.9.2.CU02, iSTAR Edge G2: vers:all/*. Apply the following compensating controls:

HARDENINGImplement physical access controls to ensure iSTAR controllers are housed in restricted-access, protected areas to prevent physical tampering

HARDENINGInventory and evaluate iSTAR Edge G2 devices for potential replacement, as no firmware patch is available and the product will not receive vendor fixes

CVEs (6)

CVE-2025-53695 CVE-2025-53696 CVE-2025-53697 CVE-2025-53698 CVE-2025-53699 CVE-2025-53700

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5d90ea3b-84c9-4f5c-896b-fdd04b686bc0

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.