Johnson Controls iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, iSTAR Edge G2 (Update A)
Plan Patch8.8ICS-CERT ICSA-25-224-02Aug 12, 2025
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Johnson Controls iSTAR Ultra, Ultra SE, Ultra G2, Ultra G2 SE, and Edge G2 door controllers contain multiple vulnerabilities (CVE-2025-53695, CVE-2025-53696, CVE-2025-53697, CVE-2025-53700) in firmware and security features. An authenticated attacker can modify firmware, disable security protections, or gain unauthorized access to protected spaces. iSTAR Ultra models with firmware ≤6.9.2.CU02 are particularly at risk. Physical access to the device can bypass some controls entirely. The iSTAR Ultra is nearing end-of-service and will not receive fixes for certain vulnerabilities.
What this means
What could happen
An attacker with valid credentials can modify firmware or bypass security protections on Johnson Controls door controllers, potentially allowing unauthorized access to secured spaces or disruption of access control operations.
Who's at risk
Water utilities and municipal facilities relying on Johnson Controls iSTAR door access control systems. Impacts include all current and older iSTAR Ultra, Ultra SE, and Edge G2 models used to control physical access to critical infrastructure like pump stations, treatment plants, electrical rooms, and other restricted areas. Security officers and facility managers responsible for access control should prioritize this.
How it could be exploited
An attacker must first gain network access to the controller and provide valid login credentials (regular user credentials). Once authenticated, they can execute commands to modify firmware, disable security features, or alter access control settings. Physical access to the device can bypass some protections entirely.
Prerequisites
- Network access to the iSTAR controller's management interface (typically port 443/HTTPS)
- Valid user credentials (regular account, not necessarily administrative)
- For some exploits, physical access to the device
No patch available for some product versions (iSTAR Ultra G2 and Edge G2)Requires valid credentials but affects multiple access control modelsPhysical access enables direct exploitationAffects access control systems protecting critical infrastructure
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (10)
8 with fix2 EOL
ProductAffected VersionsFix Status
iSTAR Ultra: <6.9.8<6.9.86.9.8
iSTAR Edge G2: <=6.9.2.CU02≤ 6.9.2.CU02No fix (EOL)
iSTAR Edge G2: vers:all/*All versionsNo fix (EOL)
iSTAR Ultra: <=6.9.2.CU02≤ 6.9.2.CU026.9.8
iSTAR Ultra SE: <=6.9.2.CU02≤ 6.9.2.CU026.9.8
iSTAR Ultra G2: <=6.9.2.CU02≤ 6.9.2.CU026.9.8
iSTAR Ultra G2 SE: <=6.9.2.CU02≤ 6.9.2.CU026.9.8
iSTAR Ultra SE: <6.9.8<6.9.86.9.8
Remediation & Mitigation
0/6
Do now
0/1WORKAROUNDDisable Pro Mode on iSTAR Ultra and iSTAR Ultra SE door controllers; use Ultra Mode instead
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
HOTFIXUpgrade iSTAR Ultra and Ultra SE to firmware version 6.9.8 or later
HOTFIXFor iSTAR Ultra and Ultra SE, if physically accessible, upgrade to firmware 6.9.3 or later to fix CVE-2025-53695
HARDENINGInstall door controllers in restricted access, protected areas to prevent physical tampering
HARDENINGImplement network-level restrictions around iSTAR controllers (consult Johnson Controls JCI-PSA-2025-10 for details)
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: iSTAR Edge G2: <=6.9.2.CU02, iSTAR Edge G2: vers:all/*. Apply the following compensating controls:
HARDENINGConsider upgrading iSTAR Ultra models to newer control units, as iSTAR Ultra is nearing end of service
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/5d90ea3b-84c9-4f5c-896b-fdd04b686bc0