OTPulse

Johnson Controls Inc. iSTAR Configuration Utility (ICU) tool

Plan PatchCVSS 7.1ICS-CERT ICSA-26-022-04Jan 22, 2026
Johnson ControlsEnergy
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

The iSTAR Configuration Utility (ICU) tool contains a buffer overflow vulnerability (CWE-121) that allows an attacker to cause a failure within the operating system of the host machine. An attacker could craft malicious input that, when processed by the tool, causes the application or system to crash or become unstable, disrupting configuration and maintenance operations for Johnson Controls iSTAR building automation systems.

What this means
What could happen
An attacker could cause the ICU tool to crash or fail, disrupting configuration management of critical HVAC and building control systems that rely on this tool for deployment and maintenance.
Who's at risk
Building automation and HVAC system operators, especially those managing Johnson Controls iSTAR equipment. Any technician or engineer using the ICU configuration tool to deploy or manage HVAC controllers, sensors, and damper actuators is affected.
How it could be exploited
An attacker crafts malicious input or a specially formatted file that triggers a buffer overflow in the ICU tool. When an authorized user opens or processes this input within the tool, the vulnerability causes the tool's operating system process to crash or become unstable.
Prerequisites
  • User must open/process attacker-controlled file or input in the ICU tool
  • ICU tool must be installed on a machine connected to the network
  • User interaction required (malicious file must be opened by an operator)
remotely exploitablerequires user interactionbuffer overflow vulnerabilityaffects configuration tooling for critical building systems
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (1)
ProductAffected VersionsFix Status
iSTAR Configuration Utility (ICU) tool: <=6.9.7≤ 6.9.76.9.8
Remediation & Mitigation
0/3
Do now
0/2
HARDENINGRestrict access to the ICU tool to authorized operators and engineers only; limit machines running the tool to trusted networks
HARDENINGTrain users not to open suspicious files or configuration inputs from untrusted sources in the ICU tool
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate iSTAR Configuration Utility (ICU) tool to version 6.9.8 or later
View full CISA ICS-CERT advisory
API: /api/v1/advisories/73750a17-3854-4146-9452-144e21b9f493

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Johnson Controls Inc. iSTAR Configuration Utility (ICU) tool | CVSS 7.1 - OTPulse