OTPulse
FeedAboutContact

Johnson Controls iSTAR

Plan Patch8.8ICS-CERT ICSA-25-345-01Dec 11, 2025
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Johnson Controls iSTAR building automation controllers contain a command injection vulnerability (CWE-78) in firmware versions before 6.9.3 (G2 models) and 6.9.7.CU01 (Ultra models). Successful exploitation requires valid user credentials and network access to the device. The vulnerability could allow an attacker to execute arbitrary OS commands on the controller, gaining unauthorized access and control over HVAC and facility automation functions.

What this means
What could happen
An attacker with valid user credentials could gain unauthorized access to iSTAR building automation controllers, potentially allowing them to modify HVAC setpoints, disable alarms, or disrupt facility operations.
Who's at risk
Building automation operators and facility managers responsible for Johnson Controls iSTAR controllers used in HVAC, temperature control, and facility management systems. This affects all iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2 devices running firmware versions older than 6.9.3 (G2 models) or 6.9.7.CU01 (Ultra models).
How it could be exploited
An attacker with valid engineering or operational credentials could authenticate to an iSTAR device over the network (likely via HTTP/HTTPS or direct network access to the device) and exploit an OS command injection vulnerability (CWE-78) to execute arbitrary system commands on the controller, gaining full control of the device.
Prerequisites
  • Valid user credentials (engineering workstation account or operational account)
  • Network access to the iSTAR device (TCP/IP connectivity)
  • Device running vulnerable firmware version (below 6.9.7.CU01 for Ultra models, below 6.9.3 for G2 models)
  • Authentication to the device interface required
Remotely exploitable over networkRequires valid credentials (reduces but does not eliminate risk if credentials are compromised or default)Low attack complexityNo authentication required variant possible (CWE-78 often has bypass paths)Affects HVAC/facility control systems critical to building operations
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (5)
5 with fix
ProductAffected VersionsFix Status
iSTAR Ultra: <6.9.7.CU01<6.9.7.CU016.9.7.CU01
iSTAR Ultra SE: <6.9.7.CU01<6.9.7.CU016.9.7.CU01
iSTAR Ultra G2: <6.9.3<6.9.36.9.7.CU01
iSTAR Ultra G2 SE: <6.9.3<6.9.36.9.7.CU01
iSTAR Edge G2: <6.9.3<6.9.36.9.3
Remediation & Mitigation
0/5
Do now
0/1
HARDENINGRestrict network access to iSTAR devices to authorized engineering and operations networks only; block direct Internet access
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade iSTAR Ultra and iSTAR Ultra SE to version 6.9.7.CU01 or greater
HOTFIXUpgrade iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2 to version 6.9.3 or greater
Long-term hardening
0/2
HARDENINGPlace iSTAR devices behind firewall with strict inbound access rules; separate building automation network from business network
HARDENINGIf remote access to iSTAR is required, use VPN with strong authentication and keep VPN software updated
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/2ddd6e92-473e-44bd-87d0-bebce52aa193
Johnson Controls iSTAR | CVSS 8.8 - OTPulse