OTPulse

Johnson Controls iSTAR

MonitorCVSS 6.5ICS-CERT ICSA-25-338-04Dec 4, 2025
Johnson Controls
Attack path
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Johnson Controls iSTAR panels using TLS 1.2 encryption contain a vulnerability (CWE-298) that prevents the product from re-establishing secure communication once the TLS certificate expires. Affected models include iSTAR Ultra, Ultra LT, Ultra SE, eX, and Edge panels running versions below 6.9.0 or without TLS 1.3 support. The failure does not affect TLS 1.3-enabled systems. This is not remotely exploitable; an attacker requires local network access to the panel. Exploitation is time-dependent, occurring only when certificates reach expiration without the ability to refresh.

What this means
What could happen
Panels using TLS 1.2 will lose the ability to re-establish secure communication once their certificates expire, effectively disabling access control connectivity and potentially causing the security system to go offline.
Who's at risk
Organizations operating Johnson Controls iSTAR access control panels in TLS 1.2 mode should care, including facility managers, security directors, and integrators at commercial buildings, data centers, campuses, and industrial facilities using C•CURE 9000 security systems. iSTAR Ultra, Ultra LT, Ultra SE, eX, and Edge models are affected based on their encryption configuration.
How it could be exploited
An attacker with network access to iSTAR panels would trigger this failure by allowing TLS 1.2 certificates to expire, which the system cannot refresh due to the vulnerability. This requires waiting for a certificate expiration event, so it is not an active remote exploit but rather a denial-of-service condition that materializes over time.
Prerequisites
  • Network access to iSTAR panel on local network (not remotely exploitable)
  • Affected panel using TLS 1.2 encryption
  • Certificate expiration to occur (time-dependent condition)
Certificate expiration triggers denial of service (time-dependent)No authentication required to trigger failureAffects physical access control systemsiSTAR eX and Edge have no fix plannedNetwork access required (not remotely exploitable)
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (5)
3 with fix2 EOL
ProductAffected VersionsFix Status
iSTAR Ultra LT (if in TLS 1.2): <TLS_1.2<TLS 1.26.9.0 (with TLS 1.3 conversion)
iSTAR Ultra (if in TLS 1.2): <TLS_1.2<TLS 1.26.9.0 (with TLS 1.3 conversion)
iSTAR Ultra SE (if in TLS 1.2): <TLS_1.2<TLS 1.26.9.0 (with TLS 1.3 conversion)
iSTAR eX: <TLS_1.2<TLS 1.2No fix (EOL)
iSTAR Edge: <TLS_1.2<TLS 1.2No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/1
HARDENINGMonitor certificate expiration dates on all iSTAR panels and establish a calendar reminder for renewal before expiry
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HOTFIXConvert to TLS 1.3 encryption per cluster by upgrading to iSTAR firmware 6.9.0 or higher and C•CURE 9000 v2.90 SP3 or higher (preferred long-term solution)
WORKAROUNDDownload and deploy new host-based certificates to all iSTAR Ultra, Ultra LT, and Ultra SE panels before certificate expiration (requires simultaneous deployment and brief downtime)
HOTFIXFor iSTAR eX and iSTAR Edge panels (no TLS 1.3 support), upgrade to G2 hardware or renew host-based certificates before expiration
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: iSTAR eX: <TLS_1.2, iSTAR Edge: <TLS_1.2. Apply the following compensating controls:
HARDENINGSegment iSTAR panels from Internet-facing networks and remote access points; use VPN only when remote access is required
View full CISA ICS-CERT advisory
API: /api/v1/advisories/3699c629-ad7f-4d62-a936-bc66cf27ad34

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Johnson Controls iSTAR | CVSS 6.5 - OTPulse