Johnson Controls iSTAR Ultra
Plan Patch8.8ICS-CERT ICSA-25-345-02Dec 11, 2025
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Johnson Controls iSTAR Ultra and iSTAR Edge G2 building automation controllers contain a firmware upload vulnerability that allows an authenticated attacker to upload malicious firmware and gain full control of the device. Successful exploitation could allow an attacker to modify firmware and gain complete access to the controller, potentially affecting HVAC, lighting, fire safety, access control, and other building systems that rely on these devices. The vulnerability affects iSTAR Ultra versions before 6.9.7.CU01, iSTAR Ultra SE, iSTAR Ultra LT, iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2 versions before 6.9.3.
What this means
What could happen
An attacker with login credentials could modify the firmware of iSTAR building automation controllers, giving them complete control over HVAC, lighting, fire safety, or access control systems that depend on these devices.
Who's at risk
Building automation operators and facility managers running Johnson Controls iSTAR Ultra or iSTAR Edge G2 controllers. These devices manage HVAC, lighting, fire safety, access control, and other critical building functions in hospitals, data centers, manufacturing plants, universities, and other commercial facilities.
How it could be exploited
An attacker with valid user credentials gains access to the iSTAR device's management interface over the network. Once authenticated, they can upload malicious firmware that overwrites the legitimate system software, allowing arbitrary commands to run on the controller. This modified controller then executes the attacker's commands instead of legitimate building automation logic.
Prerequisites
- Valid login credentials for the iSTAR device
- Network access to the iSTAR device management interface (typically port 80/443)
- Ability to reach the device from the attacker's network location
Remotely exploitableAuthentication required (reduces immediate risk)Requires valid credentials or credential compromiseAffects building safety and comfort systemsHigh-impact firmware modification capability
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (6)
6 with fix
ProductAffected VersionsFix Status
iSTAR Ultra SE: <6.9.7.CU01<6.9.7.CU016.9.7.CU01
iSTAR Ultra LT: <6.9.7.CU01<6.9.7.CU016.9.7.CU01
iSTAR Ultra G2: <6.9.3<6.9.36.9.7.CU01
iSTAR Ultra G2 SE: <6.9.3<6.9.36.9.7.CU01
iSTAR Ultra: <6.9.7.CU01<6.9.7.CU016.9.7.CU01
iSTAR Edge G2: <6.9.3<6.9.36.9.3
Remediation & Mitigation
0/6
Do now
0/2HARDENINGRestrict network access to iSTAR devices to only authorized engineering workstations and management systems; do not expose to the internet
HARDENINGEnforce strong, unique passwords for all iSTAR device accounts and disable any default credentials
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpgrade iSTAR Ultra, iSTAR Ultra SE, and iSTAR Ultra LT to version 6.9.7.CU01 or later
HOTFIXUpgrade iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2 to version 6.9.3 or later
Long-term hardening
0/2HARDENINGIsolate building automation system networks from business IT networks using firewalls
HARDENINGIf remote access to iSTAR devices is required, use a VPN with current security patches
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/40a939a5-c673-4be3-b80c-7101327dcc8b