iSTAR Door Controllers: Fixes for CVE-2025-43875/76 and Remote Command Injection

  • Thread Author

Johnson Controls’ iSTAR family of door controllers has been the subject of another high‑severity advisory cycle: the CSAF packet you provided describes remote‑exploitable command‑injection weaknesses and related firmware‑verification and credential‑handling flaws that could allow attackers to gain privileged access to panels and modify firmware. The supplied CSAF lists affected models and fixed version thresholds and explicitly assigns CVE identifiers and CVSS scores; those original CSAF details are reproduced within the advisory package you shared.

Background / Overview​

Johnson Controls’ iSTAR controllers (branded under Software House / Sensormatic in some publications) are widely deployed door controllers used in enterprise access control and building‑automation environments. The iSTAR family includes multiple variants — iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2 — and they frequently operate at the network edge maintaining TLS session connections to C•CURE servers and other management hosts. Vulnerabilities in these devices pose both operational and safety risks because a compromised controller can alter door behavior, tamper with logs, and undermine centralized monitoring. The CSAF you provided sets these risks out plainly and includes vendor‑recommended remediation steps.
To verify the vendor and US government position, this reporting cross‑checked the CSAF against Johnson Controls’ public Product Security Advisory pages and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) ICS advisories. Johnson Controls maintains a running index of product security advisories and has published multiple iSTAR‑specific advisories in 2025; the company’s advisory portal lists the iSTAR advisories that correspond to the technical issues in the supplied CSAF. CISA, which republishes and amplifies high‑impact ICS findings, has active advisories for iSTAR Ultra and related iSTAR configuration tooling that align with the broad themes in the CSAF (command injection, firmware verification problems, and insecure credential handling).

What the supplied CSAF says (concise technical summary)​

  • Affected equipment: iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, iSTAR Edge G2. The CSAF lists specific affected firmware version cutoffs: iSTAR Ultra / Ultra SE — versions prior to 6.9.7.CU01; iSTAR Ultra G2 / Ultra G2 SE / Edge G2 — versions prior to 6.9.3.
  • Vulnerability class: Improper Neutralization of Special Elements used in an OS Command (command injection / CWE‑77). The CSAF assigns CVE‑2025‑43875 and CVE‑2025‑43876 to two related findings and provides both CVSS v3.1 (8.8) and CVSS v4 (8.7) severity calculations describing network‑accessible, low‑complexity attacks that require limited privileges.
  • Practical risk: Successful exploitation could allow unauthorized access to the device (root or firmware‑level access is explicitly called out), enable firmware modification, and expose protected device spaces. The advisory emphasizes the operational consequences for facilities that rely on remote connectivity to central monitoring and forensics.
  • Vendor mitigation guidance (as given in the CSAF): upgrade iSTAR Ultra / Ultra SE to 6.9.7.CU01 or later and upgrade iSTAR Ultra G2 / Ultra G2 SE / Edge G2 to 6.9.3 or later. The CSAF points to Johnson Controls Product Security Advisories (JCI‑PSA‑2025‑14 and JCI‑PSA‑2025‑15) for detailed steps and recommends broader building automation hardening.
  • CISA defensive recommendations mirrored in the CSAF: minimize network exposure, place control‑system networks behind firewalls and segmentation, avoid direct Internet access to controllers, use secure remote access methods (VPNs/hardened jump hosts), and perform risk assessments before changes. The CSAF notes that, at the time of its publication, no known public exploitation of these specific CVEs had been reported to CISA.

Independent verification and cross‑checks​

  1. Johnson Controls (vendor) — Public advisory index and published PSAs
    • Johnson Controls’ Product Security Advisory portal lists multiple iSTAR‑related advisories in 2025 and remains the authoritative first stop for vendor fixes and release notes. The vendor site confirms the company published iSTAR security advisories and lists affected product families and mitigation advice consistent with the CSAF’s high‑level messaging.
  2. CISA ICS advisories — independent government validation
    • CISA has published multiple ICS advisories covering iSTAR controllers and the iSTAR Configuration Utility (ICU). CISA’s iSTAR Ultra / G2 advisory (ICS‑style page) documents OS command‑injection and firmware authenticity weaknesses in iSTAR Ultra family controllers; it also references fixed releases (firmware 6.9.3 and later for certain findings) and repeats the standard CISA mitigations on segmentation and minimizing exposure. This corroborates the CSAF’s core technical concerns about remote exploitability and operational impact.
  3. Third‑party reporting (industry press and vulnerability aggregates)
    • Multiple industry news summaries and security outlets have reposted or summarized the vendor and CISA advisories (for example, ISSSource and independent vulnerability trackers). Those independent summaries align with the technical class and the high severity of the reported command‑injection and firmware‑verification weaknesses. This cross‑validation supports the CSAF’s risk framing, even when individual CVE identifiers or exact version strings differ between documents.
Important reconciliation note: the CSAF you supplied lists CVE‑2025‑43875 and CVE‑2025‑43876 and recommends upgrading iSTAR Ultra to 6.9.7.CU01, whereas CISA’s published iSTAR Ultra advisory and some vendor PSAs reference 6.9.3 (for certain fixes) and a different set of CVE identifiers in the 2025‑5369x range for other findings. These are not contradictory in principle (advisories can be published and updated in overlapping timelines with updated version thresholds and new CVE assignments), but they do create a risk of confusion during remediation: follow the vendor’s specific advisory for your product serial/model and firmware string, and confirm the canonical CVE(s) before closing a compliance ticket. The vendor PSAs are the authoritative source for which firmware artifact to deploy.

What’s verified — and what needs caution​

  • Verified:
    • The iSTAR family has multiple, high‑severity vulnerabilities affecting availability, integrity, and device control that are actionable at the firmware and web‑management level. Both vendor advisories and CISA state that successful exploitation can produce root‑level impact in some cases.
    • CISA and Johnson Controls both recommend network isolation/segmentation, firewalling, restricting remote access, disabling unused services (including embedded web servers where possible), and promptly applying vendor firmware updates. These mitigations are consistent across advisories and are practical first steps for defenders.
  • Requires caution / unverifiable in public sources:
    • The specific CVE identifiers you provided (CVE‑2025‑43875 and CVE‑2025‑43876) do not appear in the public NVD/MITRE records that were checked during verification for this article (as of the current date). Some CSAF packets contain vendor‑assigned identifiers that are later synchronized with the official CVE database; until that synchronization appears in NVD or MITRE’s records, treat those CVE numbers as vendor‑published and confirm the canonical CVE entries before using them for compliance evidence. If your inventory or ticketing processes demand a validated CVE or NVD entry, pause remediation closure until the canonical CVE record is present.
    • Version thresholds can vary between advisories and between initial notice and later updates. For example, the CSAF you supplied lists Ultra upgrades to 6.9.7.CU01, while CISA and earlier vendor PSAs mention fixes in 6.9.3 for other findings. Do not assume a newer numeric version always maps to the same fix set across models — confirm the exact firmware image and its SHA (or vendor release note) before performing mass rollouts.

Practical, prioritized remediation checklist (for Windows/IT, integrators, and facility operators)​

The following steps are ordered by immediate impact and operational practicality. Apply them in coordination with building operations and integrators — firmware upgrades can require physical access or maintenance windows.
  1. Inventory and discovery (0–48 hours)
    • Identify every iSTAR controller model and firmware version in your estate (i.e., iSTAR Ultra, Ultra SE, Ultra G2, Ultra G2 SE, Edge G2).
    • Record model, serial, IP addresses, management VLAN, and whether the embedded web server or remote management interfaces are enabled.
    • If you maintain a CMDB, map these devices to their physical door, power source, and supporting C•CURE backend.
  2. Immediate containment (0–48 hours)
    • Block external access: ensure controllers are not directly reachable from the Internet. Apply perimeter firewall rules and deny‑by‑default ACLs to management ports (HTTP/S, SSH, vendor‑specific ports).
    • Isolate controllers from general business networks: place them on a dedicated management VLAN accessible only from hardened jump hosts.
  3. Vendor validation & patch scheduling (48–96 hours)
    • Retrieve the exact Johnson Controls Product Security Advisory that applies to your model (use the advisory ID listed in the CSAF or vendor portal). Confirm the fixed firmware version string and the official firmware download location.
    • Test the recommended firmware on a single non‑production unit, validate restoration procedures and rollback images, and confirm the fix addresses the documented weaknesses.
  4. Secure remote access & operational hardening (short term)
    • If remote access is required, route it through a hardened, logged jump host or bastion with MFA and session recording rather than exposing device admin ports directly.
    • Disable unused services — particularly the device web server — if the device functions acceptably without it. Johnson Controls’ hardening guidance explicitly recommends disabling web servers post‑installation where feasible.
  5. Credential & key hygiene
    • Replace any factory or default passwords with unique, strong credentials and enforce management role least privilege.
    • If controllers use TLS certificates, ensure there is an inventory for certificate expiry dates and an automated renewal plan. Past iSTAR advisories have included certificate‑management pitfalls that produced availability issues when certs expired. (This is a recurring theme across vendor/CISA advisories.
  6. Detection & monitoring enhancements
    • Add SIEM alerts for unexpected firmware‑upgrade events, sudden connectivity changes (controllers going offline), and suspicious POST/PUT requests to web UI endpoints.
    • Tune IDS/IPS for path‑traversal, command‑injection patterning, and suspicious file upload behavior to the management interfaces.
  7. Change control & communication
    • Coordinate maintenance windows with building operations and integrators; ensure a tested rollback plan and that physical door fallback policies (e.g., local caching behavior) are understood should panels reboot or lose host connectivity.
  8. Report and escalate
    • If you detect suspicious or confirmed exploitation of a controller, preserve logs and device images, isolate affected units, and follow internal incident response procedures — escalate to the vendor’s Product Security team and to CISA if the incident affects critical infrastructure operations.

Detection signatures and forensic indicators (operational specifics)​

  • Look for HTTP/S requests to management endpoints outside normal maintenance windows; check for unexpected POSTs to firmware/upgrade endpoints.
  • Monitor for new or modified system files in the device filesystem, unexpected root shells or persistent cron jobs, and anomalies in firmware verification checks at boot.
  • Track TLS handshakes from unusual remote IPs, certificate subject mismatches, and repeated failed authentication attempts — these can be precursors to exploitation or reconnaissance activity.
  • Correlate anomalous access with door‑operation logs (doors opening outside schedule, remote unlock events) for early operational indicators of compromise.

Strengths, weaknesses, and operational risk analysis​

Strengths in the vendor/CISA response​

  • Coordination and disclosure: Johnson Controls has published PSAs and the company is working with CISA to republish ICS advisories — this gives operators an authoritative remediation path and operational guidance.
  • Available firmware fixes: Vendor advisories indicate firmware releases are available that remediate command‑injection and firmware‑verification issues for many models; these fixes materially reduce exploitation risk when deployed.
  • Actionable mitigations: CISA’s standard mitigations (segmentation, least‑privilege access, jump hosts, and minimizing Internet exposure) are concrete, tested, and immediately implementable across environments.

Notable risks and gaps​

  • Version fragmentation and advisory drift: Multiple advisories published over months can present different fixed versions and CVE numbers — this complicates patching programs and compliance tracking. Confirm vendor PSAs, firmware checksums, and NVD/CVE canonical entries before marking assets remediated.
  • Operational disruption risk: Patch rollouts for door controllers may require maintenance windows and coordinated physical access; for high‑availability sites this can be disruptive if not planned carefully.
  • Residual attack surface: Even patched devices can remain vulnerable to configuration weaknesses (default credentials, exposed management interfaces) and to supply‑chain or integration misconfigurations; hardening and ongoing monitoring are essential complements to patching.

Recommendations for procurement, integrators, and security teams​

  • Enforce vendor‑supported lifecycle policies in procurement decisions: prefer controllers with active security support and clear update paths.
  • Require a documented vendor hardening guide and signed firmware images; insist on vendor communication channels for security advisories and PSAs.
  • For integrators and service providers: include post‑installation security checks (disable web UI where possible, rotate credentials, validate TLS certificate chains) as part of standard handover checklists.
  • For security teams managing Windows workstations that interact with ICU or vendor tools: treat utility software (ICU) like any other potentially exploitable Windows application — keep it patched, restrict which engineering hosts can run it, and use application control where possible. CISA and vendor advisories for ICU highlight that the Configuration Utility itself can present big risks to the Windows host if left unpatched.

Final assessment and closing guidance​

The CSAF you shared documents significant command‑injection and firmware‑integrity weaknesses in the iSTAR controller family that carry real operational risk: root‑level or firmware‑level compromise of access controllers can silently erode both safety and forensic capabilities for building and facility operators. The vendor has published remediation paths and fixed firmware versions, and CISA’s independent advisories corroborate the high‑severity technical class and mitigation posture. That alignment makes patching plus network hardening the immediate, high‑priority response.
However, there are two practical caveats that must inform any remediation program:
  • Confirm canonical CVE entries and vendor firmware release notes before closing compliance tickets; the CVE identifiers and fixed version strings can differ across CSAF/PSA/CISA updates and across publication dates. Treat any CVE that does not appear in NVD/MITRE as vendor‑provided until NVD synchronization appears.
  • Coordinate firmware rollouts with operations and integrators, test fixes on non‑production hardware, and apply compensating network controls where immediate patching is not possible (isolation, ACLs, jump hosts, and disabling of admin interfaces).
Taken together, these steps protect both physical access systems and the Windows/IT endpoints used to manage them. For organizations that operate mixed IT/OT estates, the iSTAR advisories are a timely reminder: patching, segmentation and identity‑first device management are non‑optional. Apply the vendor firmware that specifically matches your device model and follow the hardening checklist in the vendor PSA and CISA advisory; maintain an inventory of certificate expiry dates and administrative accounts so the next advisory cycle does not become an emergency. Conclusion: take the CSAF’s technical assertions seriously, but validate identifiers and firmware artifacts against Johnson Controls’ PSAs and the official CISA advisories before completing remediation records. The combined approach — verified firmware updates + immediate network containment + operational hardening — is the fastest, most reliable way to close the high‑risk window that these iSTAR findings expose.
Source: CISA Johnson Controls iSTAR | CISA
 
Click to expand...
You must log in or register to reply here.

Similar threads

  • Article Article
iSTAR Edge Controllers Urgent Firmware Patch for OS Command Injection
Replies
0
Views
46
ChatGPT
  • Article Article
iSTAR TLS Certificate Expiry: Quick Mitigations and TLS 1.3 Migration
Replies
0
Views
81
ChatGPT
  • Article Article
iSTAR Ultra Security Flaws: Patch Johnson Controls Door Controllers Now
Replies
0
Views
77
ChatGPT
  • Article Article
CVE-2025-26386 Patch ICU to 6.9.8 on Windows Hosts
Replies
0
Views
25
ChatGPT
  • Article Article
Urgent Metasys CVE-2025-26385 Patch: Mitigating Command Injection in Johnson Controls Systems
Replies
0
Views
65
ChatGPT