Johnson Controls iSTAR

Monitor6.5ICS-CERT ICSA-25-338-04Dec 4, 2025

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Johnson Controls iSTAR access control panels using TLS 1.2 encryption fail to re-establish secure communication with the C•CURE 9000 server once their host certificates expire. The vulnerability prevents the panel from receiving updated access policies and security configuration changes, effectively disabling the access control system's remote management capability. This affects iSTAR eX, iSTAR Edge, iSTAR Ultra LT, iSTAR Ultra, and iSTAR Ultra SE models when configured with TLS 1.2. The failure is triggered by certificate expiration and requires manual certificate renewal or system upgrade to restore functionality.

What this means

What could happen

When a TLS 1.2 certificate expires on an iSTAR access control panel, the system loses secure communication with the central server and fails to re-establish the connection, causing the panel to stop responding to controller commands and potentially locking out legitimate users from the building.

Who's at risk

Building access control operators and facility managers using Johnson Controls iSTAR access control panels (eX, Edge, Ultra LT, Ultra, and Ultra SE models). This affects any organization relying on iSTAR panels for perimeter access, door locks, or badge readers that authenticate users before entering critical areas.

How it could be exploited

An attacker with network access to an iSTAR panel could monitor for certificate expiration and then take advantage of the failed re-connection by intercepting or blocking communication, preventing the panel from receiving updated security policies or access control changes from the C•CURE server.

Prerequisites

Network access to the iSTAR panel on the same network segment (AV:A indicates adjacent network only)
Knowledge of the certificate expiration date on the target panel
No authentication required to trigger the failure

No authentication required to trigger failureLow complexity exploitNo patch available for legacy iSTAR eX, Edge, and Ultra LT modelsAffects physical access control systems (impacts facility security)

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (5)

3 with fix2 EOL

ProductAffected VersionsFix Status

iSTAR Ultra LT (if in TLS 1.2): <TLS_1.2<TLS 1.26.9.0 (with TLS 1.3 conversion)

iSTAR Ultra (if in TLS 1.2): <TLS_1.2<TLS 1.26.9.0 (with TLS 1.3 conversion)

iSTAR Ultra SE (if in TLS 1.2): <TLS_1.2<TLS 1.26.9.0 (with TLS 1.3 conversion)

iSTAR eX: <TLS_1.2<TLS 1.2No fix (EOL)

iSTAR Edge: <TLS_1.2<TLS 1.2No fix (EOL)

Remediation & Mitigation

0/5

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXDownload and deploy new TLS 1.2 host-based certificates to all affected iSTAR panels (requires brief system downtime)

HOTFIXUpgrade firmware to version 6.9.0 or higher and C•CURE 9000 to v2.90 SP3 or higher, then migrate encryption mode to TLS 1.3 per cluster (not applicable to iSTAR eX, Edge, or Ultra LT)

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: iSTAR eX: <TLS_1.2, iSTAR Edge: <TLS_1.2. Apply the following compensating controls:

HARDENINGReplace iSTAR eX, iSTAR Edge, and iSTAR Ultra LT panels with new G2 hardware models that support TLS 1.3

HARDENINGImplement network segmentation to isolate iSTAR access control systems from the Internet and business networks behind firewalls

HARDENINGImplement a certificate monitoring and renewal process to ensure TLS 1.2 certificates are replaced before expiration

CVEs (1)

CVE-2025-61736

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3699c629-ad7f-4d62-a936-bc66cf27ad34