---
title: "Critical OS Command Injection Flaws in Johnson Controls iSTAR Controllers"
short_title: "Critical flaws in Johnson Controls iSTAR controllers"
description: "Johnson Controls iSTAR Ultra and Edge controllers face critical OS command injection vulnerabilities (CVE-2025-43873, CVE-2025-43874). Learn how to mitigate risks and secure your systems."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [johnson-controls, os-command-injection, cve-2025-43873, cve-2025-43874, ics-security]
score: 0.87
cve_ids: [CVE-2025-43873, CVE-2025-43874]
---
TL;DR
Johnson Controls has disclosed two critical OS command injection vulnerabilities (CVE-2025-43873 and CVE-2025-43874) in its iSTAR Ultra and Edge door controllers. These flaws, exploitable remotely with low attack complexity, could allow attackers to gain full control of affected devices. Immediate patching and network segmentation are recommended to mitigate risks.
---
Main Content
Critical Vulnerabilities in Johnson Controls iSTAR Controllers Demand Immediate Action
Johnson Controls, a global leader in smart building solutions, has issued an urgent security advisory addressing two critical OS command injection vulnerabilities in its iSTAR Ultra and Edge door controllers. These flaws, identified as CVE-2025-43873 and CVE-2025-43874, pose severe risks to organizations relying on these devices for access control and security management. With a CVSS v4 score of 8.7, these vulnerabilities are remotely exploitable and could enable attackers to modify firmware and gain full device access.
---
Key Points
- Critical Flaws Identified: Two OS command injection vulnerabilities (CVE-2025-43873 and CVE-2025-43874) affect multiple Johnson Controls iSTAR Ultra and Edge controller models.
- High Severity: Both vulnerabilities have a CVSS v4 score of 8.7, indicating a high risk of exploitation with low attack complexity.
- Affected Systems: Vulnerabilities impact iSTAR Ultra, Ultra SE, Ultra LT, Ultra G2, Ultra G2 SE, and Edge G2 controllers running outdated firmware.
- Global Impact: Deployed across critical infrastructure sectors, including manufacturing, energy, transportation, and government facilities worldwide.
- Mitigation Urged: Johnson Controls recommends immediate firmware updates and adherence to CISA’s defensive measures to minimize exploitation risks.
---
Technical Details
#### Affected Products
The following Johnson Controls iSTAR and Edge controller versions are vulnerable:
- iSTAR Ultra: Versions prior to 6.9.7.CU01
- iSTAR Ultra SE: Versions prior to 6.9.7.CU01
- iSTAR Ultra LT: Versions prior to 6.9.7.CU01
- iSTAR Ultra G2: Versions prior to 6.9.3
- iSTAR Ultra G2 SE: Versions prior to 6.9.3
- iSTAR Edge G2: Versions prior to 6.9.3
#### Vulnerability Overview
Both vulnerabilities are classified as OS Command Injection (CWE-78) and allow attackers to execute arbitrary commands on affected devices. Successful exploitation could result in:
- Full device takeover
- Firmware modification
- Unauthorized access to sensitive systems
CVE-2025-43873 and CVE-2025-43874 share identical CVSS metrics:
- CVSS v3.1 Base Score: 8.8 (`AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`)
- CVSS v4 Base Score: 8.7 (`AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N`)
#### Background
Johnson Controls iSTAR controllers are widely used in critical infrastructure sectors, including:
- Critical Manufacturing
- Commercial Facilities
- Government Services and Facilities
- Transportation Systems
- Energy
These devices are deployed globally, with Johnson Controls headquartered in Ireland.
---
Impact Assessment
#### Exploitation Risks
The vulnerabilities enable attackers to remotely exploit affected devices without requiring physical access. Given the low attack complexity, these flaws are particularly dangerous for organizations with exposed or inadequately protected systems. Potential consequences include:
- Unauthorized physical access to secured facilities
- Disruption of critical operations
- Compromise of interconnected building automation systems
#### Targeted Sectors
Organizations in critical infrastructure sectors are at heightened risk, particularly those relying on iSTAR controllers for access control and security management. The global deployment of these devices amplifies the potential impact of these vulnerabilities.
---
Mitigation Steps
Johnson Controls and CISA have outlined urgent mitigation measures to address these vulnerabilities:
#### Vendor Recommendations
1. Upgrade Firmware Immediately:
- iSTAR Ultra, Ultra SE, Ultra LT: Update to version 6.9.7.CU01 or later.
- iSTAR Ultra G2, Ultra G2 SE, Edge G2: Update to version 6.9.3 or later.
2. Review Security Advisories: Refer to Johnson Controls’ official advisories ([JCI-PSA-2025-11](https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories) and [JCI-PSA-2025-13](https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories)) for detailed instructions.
3. Minimize Network Exposure: Follow CISA’s guidance to isolate control systems from business networks and restrict internet access.
#### CISA Recommendations
- Network Segmentation: Locate control system networks behind firewalls and isolate them from business networks.
- Secure Remote Access: Use Virtual Private Networks (VPNs) for remote access, ensuring they are updated to the latest version.
- Defensive Measures: Implement CISA’s recommended practices for industrial control systems (ICS) security, including [defense-in-depth strategies](https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf).
#### Additional Steps
- Monitor for Malicious Activity: Organizations should monitor for suspicious activity and report incidents to CISA.
- Contact Johnson Controls: For further assistance, reach out to [Johnson Controls Global Product Security](mailto:TrustCenter@jci.com).
---
Conclusion
The discovery of CVE-2025-43873 and CVE-2025-43874 underscores the critical importance of proactive cybersecurity measures in protecting industrial control systems. Organizations using Johnson Controls iSTAR Ultra and Edge controllers must act swiftly to apply firmware updates, segment networks, and implement defensive strategies to mitigate risks. Failure to address these vulnerabilities could result in severe operational disruptions, unauthorized access, and compromised security.
For ongoing updates and best practices, visit [CISA’s ICS webpage](https://www.cisa.gov/topics/industrial-control-systems) and [Johnson Controls’ cybersecurity resources](https://www.johnsoncontrols.com/trust-center/cybersecurity).
---
References
[^1]: Johnson Controls. "[Security Advisory JCI-PSA-2025-11 and JCI-PSA-2025-13](https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories)". Retrieved 2025-01-24.
[^2]: CISA. "[ICS Advisory ICSA-25-345-02](https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-02)". Retrieved 2025-01-24.
[^3]: MITRE. "[CWE-78: OS Command Injection](https://cwe.mitre.org/data/definitions/78.html)". Retrieved 2025-01-24.
[^4]: Dragos. "[Research on Johnson Controls iSTAR Vulnerabilities](https://www.dragos.com)". Retrieved 2025-01-24.