OTPulse
FeedAboutContact

Johnson Controls Inc. iSTAR Configuration Utility (ICU) tool

Plan Patch7.1ICS-CERT ICSA-26-022-04Jan 22, 2026
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

A buffer overflow vulnerability in the iSTAR Configuration Utility (ICU) tool versions 6.9.7 and earlier allows local code execution leading to operating system failure on machines where the tool is installed. Successful exploitation could crash the host operating system when a user opens a malicious file in the ICU tool, disrupting building automation configuration capabilities.

What this means
What could happen
An attacker could crash or destabilize the operating system of the workstation or server running the iSTAR Configuration Utility, potentially disrupting building automation configuration management and causing temporary loss of system availability.
Who's at risk
Building automation and HVAC system operators and configuration engineers who use the iSTAR Configuration Utility tool to manage Johnson Controls equipment in commercial buildings, campuses, hospitals, and other facilities. Impacts facilities management staff responsible for temperature, air quality, and equipment settings.
How it could be exploited
An attacker delivers a malicious file or input to a user of the ICU tool, typically via email attachment or compromised website. When the user opens the file in the ICU tool, a buffer overflow or similar memory corruption flaw (CWE-121) executes, crashing the OS on that machine.
Prerequisites
  • User interaction required: the victim must open a malicious file or specially crafted input in the ICU tool
  • ICU tool version 6.9.7 or earlier must be installed
  • No network access required; exploitation occurs locally on the machine running ICU
User interaction required (reduces but does not eliminate risk)Buffer overflow or memory corruption vulnerability (CWE-121)Could disrupt configuration management workstations
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
iSTAR Configuration Utility (ICU) tool: <=6.9.7≤ 6.9.76.9.8
Remediation & Mitigation
0/3
Do now
0/2
HARDENINGRestrict access to the ICU tool to trusted engineering workstations only; disable access from internet-facing networks or untrusted users
WORKAROUNDTrain configuration engineers and BAS administrators not to open files from untrusted sources in the ICU tool
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate the iSTAR Configuration Utility (ICU) tool to version 6.9.8 or later
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/73750a17-3854-4146-9452-144e21b9f493