---
title: "Johnson Controls iSTAR Vulnerabilities Expose Critical Infrastructure to Attacks"
short_title: "Critical flaws in Johnson Controls iSTAR systems"
description: "Two high-severity vulnerabilities in Johnson Controls iSTAR access control systems could allow remote attackers to gain unauthorized access. Patch now to secure critical infrastructure."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [johnson-controls, cve-2025-43875, cve-2025-43876, critical-infrastructure, os-command-injection]
score: 0.87
cve_ids: [CVE-2025-43875, CVE-2025-43876]
---
TL;DR
Johnson Controls has disclosed two high-severity vulnerabilities (CVE-2025-43875 and CVE-2025-43876) in its iSTAR access control systems, affecting critical infrastructure worldwide. These flaws, rated CVSS 8.7, could allow remote attackers to execute unauthorized commands and gain access to affected devices. Immediate patching is recommended to mitigate risks.
---
Main Content
Critical Vulnerabilities in Johnson Controls iSTAR Systems Demand Immediate Action
Johnson Controls, a global leader in smart building solutions, has issued an urgent security advisory addressing two high-severity vulnerabilities in its iSTAR access control systems. These flaws, identified as CVE-2025-43875 and CVE-2025-43876, could enable remote attackers to exploit improperly neutralized OS commands, potentially compromising entire networks. With a CVSS v4 score of 8.7, these vulnerabilities pose a significant risk to organizations in sectors such as energy, government facilities, and critical manufacturing.
Key Points
- High-Severity Flaws: Both vulnerabilities (CVE-2025-43875 and CVE-2025-43876) are rated CVSS 8.7, indicating a critical risk level.
- Remote Exploitation: Attackers can exploit these flaws remotely with low attack complexity, increasing the likelihood of widespread threats.
- Affected Systems: Vulnerabilities impact iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2 devices running outdated firmware.
- Global Impact: Deployed across commercial facilities, energy sectors, and government infrastructure, these systems are critical to operations worldwide.
- Mitigation Available: Johnson Controls has released patches to address these vulnerabilities. Users must upgrade affected devices immediately.
---
Technical Details
#### Affected Products
The following Johnson Controls iSTAR systems are vulnerable:
- iSTAR Ultra: Versions prior to 6.9.7.CU01
- iSTAR Ultra SE: Versions prior to 6.9.7.CU01
- iSTAR Ultra G2: Versions prior to 6.9.3
- iSTAR Ultra G2 SE: Versions prior to 6.9.3
- iSTAR Edge G2: Versions prior to 6.9.3
#### Vulnerability Overview
Both vulnerabilities stem from Improper Neutralization of Special Elements used in an OS Command (CWE-78). This flaw allows attackers to inject malicious commands into the system, potentially leading to unauthorized access, data breaches, or full system compromise.
- CVE-2025-43875:
- CVSS v3.1 Score: 8.8 (`AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`)
- CVSS v4 Score: 8.7 (`CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N`)
- CVE-2025-43876:
- CVSS v3.1 Score: 8.8 (`AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`)
- CVSS v4 Score: 8.7 (`CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N`)
---
Impact Assessment
#### Who Is at Risk?
Organizations in the following sectors are particularly vulnerable:
- Commercial Facilities
- Critical Manufacturing
- Energy
- Government Facilities
- Transportation Systems
These vulnerabilities could disrupt operations, compromise sensitive data, or provide attackers with a foothold for further exploitation within a network. Given the global deployment of Johnson Controls systems, the potential for widespread impact is significant.
#### Exploitation Scenarios
Attackers could leverage these vulnerabilities to:
- Gain unauthorized access to physical security systems.
- Execute arbitrary commands on affected devices.
- Move laterally within a network, escalating privileges and compromising additional systems.
- Disrupt critical operations in energy, government, or manufacturing sectors.
---
Mitigation Steps
Johnson Controls has released patches to address these vulnerabilities. Users are urged to take the following actions immediately:
#### Patch Management
- Upgrade iSTAR Ultra and iSTAR Ultra SE to version 6.9.7.CU01 or later.
- Upgrade iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2 to version 6.9.3 or later.
#### Additional Defensive Measures
- Minimize Network Exposure: Ensure control system devices are not accessible from the internet.
- Isolate Critical Systems: Locate control system networks behind firewalls and separate them from business networks.
- Use Secure Remote Access: When remote access is required, employ VPNs and ensure they are updated to the latest version.
- Monitor for Malicious Activity: Implement intrusion detection systems (IDS) and regularly audit logs for suspicious activity.
For detailed guidance, refer to the [Johnson Controls Product Security Advisories (JCI-PSA-2025-14 and JCI-PSA-2025-15)](https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories).
---
Best Practices for Industrial Control Systems (ICS) Security
CISA recommends the following best practices to enhance the security of ICS environments:
1. Defense-in-Depth Strategies: Implement layered security measures to protect critical systems. Refer to CISA’s [Defense-in-Depth Guide](https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf).
2. Regular Risk Assessments: Conduct thorough risk assessments before deploying defensive measures.
3. Employee Training: Educate staff on social engineering attacks and phishing scams. Refer to CISA’s [Avoiding Social Engineering and Phishing Attacks](https://www.cisa.gov/uscert/ncas/tips/ST04-014).
4. Incident Reporting: Report suspected malicious activity to CISA for tracking and correlation.
---
Conclusion
The discovery of CVE-2025-43875 and CVE-2025-43876 in Johnson Controls iSTAR systems underscores the critical importance of proactive cybersecurity measures in protecting critical infrastructure. Organizations must act swiftly to apply patches, isolate vulnerable systems, and implement robust defensive strategies to mitigate risks.
As cyber threats continue to evolve, staying vigilant and adhering to best practices for ICS security is essential to safeguarding operations and preventing potentially catastrophic breaches.
---
References
[^1]: Johnson Controls. "[Security Advisories JCI-PSA-2025-14 and JCI-PSA-2025-15](https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories)". Retrieved 2025-01-24.
[^2]: CISA. "[ICS Advisory (ICSA-25-345-01) Johnson Controls iSTAR](https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-01)". Retrieved 2025-01-24.
[^3]: MITRE. "[CWE-78: Improper Neutralization of Special Elements used in an OS Command](https://cwe.mitre.org/data/definitions/78.html)". Retrieved 2025-01-24.