---
title: "Johnson Controls iSTAR Flaw: Critical Certificate Expiration Vulnerability"
short_title: "Critical flaw in Johnson Controls iSTAR systems"
description: "Johnson Controls iSTAR systems face a critical certificate expiration vulnerability (CVE-2025-61736). Learn mitigation steps and protect your infrastructure now."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [johnson-controls, cve-2025-61736, tls, cybersecurity, vulnerability]
score: 0.75
cve_ids: [CVE-2025-61736]
---
TL;DR
Johnson Controls has disclosed a critical vulnerability (CVE-2025-61736) in its iSTAR access control systems, where improper validation of certificate expiration could disrupt communication. The flaw affects multiple iSTAR models and requires immediate mitigation to prevent operational downtime. Upgrading to TLS 1.2 or 1.3 and replacing default certificates are recommended fixes.
---
Main Content
Introduction
Johnson Controls, a global leader in smart building solutions, has issued an urgent security advisory for its iSTAR access control systems. A newly discovered vulnerability, CVE-2025-61736, could disrupt communication between iSTAR panels and the C•CURE Server due to improper validation of certificate expiration. With a CVSS v4 score of 7.1, this flaw poses a significant risk to organizations relying on these systems for secure access control. Below, we break down the technical details, impact, and mitigation steps to help you safeguard your infrastructure.
---
Key Points
- Vulnerability: Improper validation of certificate expiration (CWE-298) in Johnson Controls iSTAR systems.
- Affected Products: iSTAR eX, iSTAR Edge, iSTAR Ultra LT, iSTAR Ultra, and iSTAR Ultra SE (all versions prior to TLS 1.2).
- CVSS Score: 7.1 (CVSS v4), indicating a high-severity issue with low attack complexity.
- Impact: Failure to re-establish communication after certificate expiration, leading to potential operational disruptions.
- Mitigation: Upgrade to TLS 1.2 or 1.3, replace default certificates, or upgrade legacy hardware.
---
Technical Details
#### Affected Systems
The vulnerability impacts the following Johnson Controls iSTAR models:
- iSTAR eX: All versions prior to TLS 1.2
- iSTAR Edge: All versions prior to TLS 1.2
- iSTAR Ultra LT: All versions prior to TLS 1.2 (if configured for TLS 1.2)
- iSTAR Ultra: All versions prior to TLS 1.2 (if configured for TLS 1.2)
- iSTAR Ultra SE: All versions prior to TLS 1.2 (if configured for TLS 1.2)
#### Vulnerability Overview
The flaw, tracked as CVE-2025-61736, stems from improper validation of certificate expiration. Under specific conditions, iSTAR systems using the default certificate may fail to re-establish communication with the C•CURE Server once the certificate expires. This could lead to prolonged downtime and disrupt access control operations in critical environments.
- CVSS v3.1 Score: 6.5 (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
- CVSS v4 Score: 7.1 (AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)
#### Background
Johnson Controls iSTAR systems are widely deployed across critical infrastructure sectors, including:
- Commercial Facilities
- Critical Manufacturing
- Energy
- Government Facilities
- Transportation Systems
These systems are used globally, with Johnson Controls headquartered in Ireland.
---
Impact Assessment
The vulnerability could have severe consequences for organizations relying on iSTAR systems for access control:
- Operational Disruption: Failure to re-establish communication after certificate expiration may lead to unauthorized access or denial of service for legitimate users.
- Compliance Risks: Organizations in regulated sectors (e.g., energy, government) may face compliance violations if security measures are not promptly addressed.
- Financial Costs: Downtime and emergency mitigation efforts could result in significant financial losses, particularly for large-scale deployments.
---
Mitigation Steps
Johnson Controls has outlined three primary mitigation strategies to address this vulnerability:
#### 1. Host-Based Certificates Using TLS 1.2
- Quickest Solution: No firmware or software upgrades required.
- Process: Replace default certificates with host-based certificates across all iSTAR panels simultaneously.
- Downtime: Brief system downtime during certificate deployment.
#### 2. Upgrade to TLS 1.3
- Requirements: Firmware 6.9.0 or higher and C•CURE 9000 v2.90 SP3 or higher.
- Benefits: Enables phased implementation by cluster, minimizing disruption.
- Limitations: TLS 1.3 is not supported on iSTAR eX, iSTAR Edge, or iSTAR Ultra LT panels.
#### 3. Upgrade Legacy Panels to G2 Hardware
- Recommended For: Smaller systems due to time constraints.
- Applicability: Primarily targets iSTAR eX, iSTAR Edge, and iSTAR LT panels.
#### Additional Recommendations
- Audit Systems: Work with Software House integrators to assess your infrastructure and determine the best mitigation strategy.
- Leverage Resources: Johnson Controls provides documentation, instructional videos, and webinars on its [Support Portal](https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories).
- Network Security: Follow CISA’s guidelines to minimize network exposure for control systems:
- Isolate control system networks behind firewalls.
- Use VPNs for remote access (ensure they are updated to the latest version).
- Avoid exposing control systems to the internet.
---
Conclusion
The CVE-2025-61736 vulnerability in Johnson Controls iSTAR systems highlights the critical importance of proactive certificate management and timely software updates. Organizations must act swiftly to implement the recommended mitigations—whether through host-based certificates, TLS 1.3 upgrades, or hardware replacements—to prevent operational disruptions and maintain security.
For detailed instructions, refer to the [Johnson Controls Product Security Advisory JCI-PSA-2025-12](https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories). Stay vigilant, audit your systems regularly, and prioritize cybersecurity best practices to safeguard your infrastructure.
---
References
[^1]: Johnson Controls. "[Security Advisory JCI-PSA-2025-12](https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories)". Retrieved 2025-01-24.
[^2]: CISA. "[ICS Advisory ICSA-25-338-04](https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-04)". Retrieved 2025-01-24.
[^3]: MITRE. "[CWE-298: Improper Validation of Certificate Expiration](https://cwe.mitre.org/data/definitions/298.html)". Retrieved 2025-01-24.