Johnson Controls iSTAR Ultra

Plan PatchCVSS 8.8ICS-CERT ICSA-25-345-02Dec 11, 2025

Johnson Controls

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Johnson Controls iSTAR Ultra building automation devices contain a command injection vulnerability (CWE-78) that allows authenticated users to execute arbitrary code and modify device firmware. Successful exploitation grants full administrative access to the device. The vulnerability affects iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra LT, iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2 versions prior to version 6.9.3 or 6.9.7.CU01 depending on the model.

What this means

What could happen

An authenticated attacker could execute arbitrary commands on iSTAR Ultra building automation controllers, allowing modification of device firmware and complete control over HVAC, lighting, and access control systems that depend on these devices.

Who's at risk

Building automation engineers and facility managers responsible for HVAC, lighting, and access control systems using Johnson Controls iSTAR Ultra controllers. This affects any facility relying on these devices for climate control and building access management.

How it could be exploited

An attacker with valid credentials to the iSTAR device could exploit a command injection flaw (CWE-78) to run arbitrary code with elevated privileges, enabling firmware modification and full administrative access to the building automation system.

Prerequisites

Valid iSTAR device user credentials
Network access to the iSTAR Ultra device (typically on the building automation network)
Knowledge of command injection techniques or availability of a working exploit

remotely exploitableauthentication requiredhigh CVSS (8.8)affects critical building systemsaffects safety and security systems

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

iSTAR Ultra SE: <6.9.7.CU01<6.9.7.CU016.9.7.CU01

iSTAR Ultra LT: <6.9.7.CU01<6.9.7.CU016.9.7.CU01

iSTAR Ultra G2: <6.9.3<6.9.36.9.7.CU01

iSTAR Ultra G2 SE: <6.9.3<6.9.36.9.7.CU01

iSTAR Ultra: <6.9.7.CU01<6.9.7.CU016.9.7.CU01

iSTAR Edge G2: <6.9.3<6.9.36.9.3

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to iSTAR devices to only authorized engineering workstations and building automation servers

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade iSTAR Ultra, iSTAR Ultra SE, and iSTAR Ultra LT devices to firmware version 6.9.7.CU01 or later

HOTFIXUpgrade iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2 devices to firmware version 6.9.3 or later

Long-term hardening

0/2

HARDENINGIsolate the building automation network from the corporate IT network using a firewall or network segmentation

HARDENINGReview and disable any unused remote access capabilities on iSTAR devices

CVEs (2)

CVE-2025-43873 CVE-2025-43874

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/40a939a5-c673-4be3-b80c-7101327dcc8b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.