---
title: "Critical Vulnerability in Johnson Controls iSTAR ICU Tool Exposes Systems to Attacks"
short_title: "Johnson Controls iSTAR ICU tool vulnerability exposed"
description: "A high-severity stack-based buffer overflow vulnerability (CVE-2025-26386) in Johnson Controls iSTAR ICU tool could crash systems. Learn how to mitigate risks now."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [cve-2025-26386, johnson-controls, buffer-overflow, critical-infrastructure, cybersecurity]
score: 0.78
cve_ids: [CVE-2025-26386]
---
TL;DR
A high-severity stack-based buffer overflow vulnerability (CVE-2025-26386) in the Johnson Controls iSTAR Configuration Utility (ICU) tool could allow attackers to crash the operating system of affected machines. The flaw affects versions ≤6.9.7, and users are urged to update to version 6.9.8 immediately to mitigate risks. No active exploitation has been reported yet, but critical infrastructure sectors are at potential risk.
---
Main Content
Introduction
Cybersecurity researchers have uncovered a critical vulnerability in the Johnson Controls iSTAR Configuration Utility (ICU) tool, a widely used software in critical infrastructure sectors. The flaw, identified as CVE-2025-26386, is a stack-based buffer overflow that could enable attackers to disrupt the operating system of machines hosting the ICU tool. With a CVSS score of 7.1 (High), this vulnerability poses significant risks to organizations relying on this technology.
Key Points
- Vulnerability Type: Stack-based buffer overflow (CVE-2025-26386).
- Affected Versions: Johnson Controls iSTAR ICU tool ≤6.9.7.
- CVSS Score: 7.1 (High Severity).
- Impact: Potential crash of the operating system on the host machine.
- Mitigation: Update to version 6.9.8 immediately.
- Sectors at Risk: Commercial facilities, critical manufacturing, energy, government services, and transportation systems.
---
Technical Details
The vulnerability CVE-2025-26386 is classified as a stack-based buffer overflow, a type of flaw that occurs when a program writes more data to a buffer than it can hold. This overflow can corrupt adjacent memory, leading to arbitrary code execution or, in this case, a system crash. The vulnerability is exploitable under specific conditions, though no active exploitation has been reported to date.
#### CVSS Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|--------------|------------|---------------|---------------------------------------------------------------------------------------------------|
| 3.1 | 7.1 | High | [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H) |
The vector string indicates that the vulnerability is exploitable over a network (AV:N), requires low attack complexity (AC:L), and necessitates user interaction (UI:R). While it does not compromise confidentiality (C:N), it can lead to partial integrity impact (I:L) and high availability impact (A:H).
---
Impact Assessment
The Johnson Controls iSTAR ICU tool is deployed across critical infrastructure sectors worldwide, including:
- Commercial facilities
- Critical manufacturing
- Energy
- Government services and facilities
- Transportation systems
Successful exploitation of this vulnerability could disrupt operations in these sectors, leading to downtime, financial losses, and potential safety risks. Organizations using the affected versions of the ICU tool are urged to prioritize patching to avoid potential attacks.
---
Mitigation Steps
Johnson Controls has released version 6.9.8 of the iSTAR ICU tool to address this vulnerability. Organizations are advised to:
1. Update Immediately: Upgrade to iSTAR ICU tool version 6.9.8 to eliminate the risk.
2. Minimize Network Exposure: Ensure control system devices and systems are not accessible from the internet.
3. Isolate Networks: Locate control system networks and remote devices behind firewalls and separate them from business networks.
4. Use Secure Remote Access: When remote access is required, employ Virtual Private Networks (VPNs) and ensure they are updated to the latest version.
5. Follow CISA Guidelines: Refer to CISA’s [recommended practices for control systems security](https://www.cisa.gov/ics) and implement defense-in-depth strategies.
For detailed mitigation instructions, visit the [Johnson Controls Product Security Advisory JCI-PSA-2025-08 v1](https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories).
---
Affected Systems
- Vendor: Johnson Controls Inc.
- Product: iSTAR Configuration Utility (ICU) tool
- Affected Versions: ≤6.9.7
- Product Status: Known affected
---
Conclusion
The discovery of CVE-2025-26386 highlights the ongoing risks posed by software vulnerabilities in critical infrastructure. While no active exploitation has been reported, the potential for system crashes and operational disruptions makes this a high-priority issue for affected organizations. Immediate action, including updating to version 6.9.8 and implementing network security best practices, is essential to mitigate risks.
Organizations are encouraged to stay vigilant, monitor for updates, and adopt proactive cybersecurity measures to safeguard their systems against emerging threats.
---
References
[^1]: CISA. "[ICSA-26-022-04 Johnson Controls Inc. iSTAR Configuration Utility (ICU) tool](https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-04)". Retrieved 2025-01-24.
[^2]: NIST. "[CVE-2025-26386 Detail](https://nvd.nist.gov/vuln/detail/CVE-2025-26386)". Retrieved 2025-01-24.
[^3]: Johnson Controls. "[Product Security Advisory JCI-PSA-2025-08 v1](https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories)". Retrieved 2025-01-24.