Johnson Controls iSTAR

Plan PatchCVSS 8.8ICS-CERT ICSA-25-345-01Dec 11, 2025

Johnson Controls

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Johnson Controls iSTAR building automation controllers contain command injection vulnerabilities in input validation. An authenticated attacker can execute arbitrary operating system commands on affected devices, gaining unauthorized control over building automation systems including HVAC, lighting, and security functions. Affected versions: iSTAR Ultra and Ultra SE before 6.9.7.CU01; iSTAR Ultra G2, Ultra G2 SE, and Edge G2 before 6.9.3.

What this means

What could happen

An attacker with valid credentials could execute arbitrary commands on iSTAR controllers, allowing them to modify building automation settings, disable safety systems, or disrupt facility operations.

Who's at risk

Building automation and facility management organizations running Johnson Controls iSTAR controllers. This affects companies using iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, or iSTAR Edge G2 systems for HVAC, lighting, access control, and other building automation functions.

How it could be exploited

An attacker needs valid login credentials to access the iSTAR device remotely over the network. Once authenticated, they can inject operating system commands through an input validation flaw that gets executed with device privileges, giving them full control over building automation logic and setpoints.

Prerequisites

Valid user credentials for iSTAR device
Network access to the iSTAR device (typically internal building network)
Knowledge of vulnerable input field or parameter

remotely exploitablerequires valid credentialscommand injection (CWE-78)affects building automation and safety systems

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

iSTAR Ultra: <6.9.7.CU01<6.9.7.CU016.9.7.CU01

iSTAR Ultra SE: <6.9.7.CU01<6.9.7.CU016.9.7.CU01

iSTAR Ultra G2: <6.9.3<6.9.36.9.7.CU01

iSTAR Ultra G2 SE: <6.9.3<6.9.36.9.7.CU01

iSTAR Edge G2: <6.9.3<6.9.36.9.3

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict network access to iSTAR devices from the Internet; ensure they are not exposed on public-facing networks

HARDENINGIsolate building automation network from business IT network using firewall rules and network segmentation

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate iSTAR Ultra and iSTAR Ultra SE to version 6.9.7.CU01 or later

HOTFIXUpdate iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2 to version 6.9.3 or later

Long-term hardening

0/1

HARDENINGReview and enforce strong password policies for iSTAR user accounts to reduce risk of credential compromise

CVEs (2)

CVE-2025-43875 CVE-2025-43876

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2ddd6e92-473e-44bd-87d0-bebce52aa193

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.