Universal Boot Loader (U-Boot) (Update A)

Plan PatchCVSS 8.4ICS-CERT ICSA-25-343-01Dec 9, 2025

Johnson Controls

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

U-Boot bootloader versions before 2017.11 contain an improper input validation vulnerability (CWE-1274) in the early boot phase that could allow an attacker with physical USB access to execute arbitrary code. This affects Johnson Controls Airwall AW-75 gateways and multiple Qualcomm chipsets commonly used in industrial networking equipment. Successful exploitation requires physical access to USB-A ports and can result in complete compromise of the affected device.

What this means

What could happen

An attacker with physical access to USB ports on an Airwall gateway could execute arbitrary code on the device, potentially compromising network security functions and enabling lateral movement into your building systems network.

Who's at risk

This affects Johnson Controls Airwall AW-75 network security gateways used to isolate building automation and OT networks, and any industrial or commercial equipment using older Qualcomm chipsets (IPQ-series) that rely on vulnerable U-Boot versions.

How it could be exploited

An attacker must physically connect a USB device to an affected Airwall gateway while it is booting. The U-Boot bootloader lacks proper validation during the early boot phase, allowing the attacker to inject malicious code that executes before the operating system loads. This gives the attacker complete control over the device.

Prerequisites

Physical access to USB-A ports on the Airwall gateway
Ability to connect USB device while the gateway is powered on or rebooting
No epoxy sealant or other physical barrier already in place on USB ports

Low complexity attackNo authentication required for exploitationPhysical access vulnerability in critical network boundary deviceQualcomm chipsets have no fix planned

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (9)

2 with fix7 EOL

ProductAffected VersionsFix Status

Qualcomm Chipset IPQ6018<2017.11No fix (EOL)

Qualcomm Chipset IPQ8074<2017.11No fix (EOL)

Qualcomm Chipset IPQ8064<2017.11No fix (EOL)

Qualcomm Chipset IPQ5322<2017.11No fix (EOL)

U-boot: <2017.11<2017.112025.4

Qualcomm Chipset IPQ4019<2017.11No fix (EOL)

Qualcomm Chipset IPQ5018<2017.11No fix (EOL)

Johnson Controls Airwall AW-75 vers:all/*<2017.112025.4

Remediation & Mitigation

0/4

Do now

0/3

HOTFIXFor Airwall 75 gateways on U-Boot 2017.03 or earlier: Install hotfix hf-3303 from https://webhelp.tempered.io/content/topics/downloads_hotfixes.html#downloads_hotfixes__section_vw4_25x_13c

WORKAROUNDPhysically secure USB-A ports on all Airwall gateways by sealing them with epoxy or equivalent material (note: micro-USB console port does not require sealing)

HARDENINGDeploy all Airwall gateways in physically secure locations where unauthorized personnel cannot plug in USB devices

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXFor non-Johnson Controls devices using affected Qualcomm chipsets (IPQ6018, IPQ8074, IPQ8064, IPQ5322, IPQ4019, IPQ5018, IPQ9574), contact Qualcomm support referencing CVE-2025-24857 to determine if a U-Boot upgrade is available for your specific hardware

CVEs (1)

CVE-2025-24857

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d3f656b1-c130-48a3-9117-5bebf9d3316a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.