iSTAR Ultra Security Flaws: Patch Johnson Controls Door Controllers Now

Johnson Controls’ iSTAR Ultra family of door controllers contains a cluster of high‑impact vulnerabilities that — if left unpatched — can give remote attackers a path to root access, firmware modification, and local console takeover, creating a direct route from network compromise to physical access control failure. (johnsoncontrols.com)

Background / Overview​

The affected product set includes multiple variants in the Software House iSTAR line: iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2. The public advisory identifies a set of six distinct weakness classes — from OS command injection to insecure storage of a signing key — and maps those to six CVE identifiers reported by the researcher. The advisory lists affected firmware versions (notably versions up to and including 6.9.2.CU02 for many models) and says a patched firmware (6.9.3) was made available in 2024 that addresses the most severe issues and reduces risk for several others. (johnsoncontrols.com)
This is a classic intersection of IT and operational technology (OT) risk: these controllers manage door access and are deployed worldwide across commercial, government, and critical-manufacturing facilities. Compromise of a single controller can lead to physical security failures and create a pivot point to other building systems. The advisory explicitly calls out remote exploitability and low attack complexity for the most severe findings, driving the urgency for immediate mitigation.

---

Executive summary of technical findings​

• OS command injection (CWE‑78, CVE‑2025‑53695): An authenticated web‑application flaw that can be leveraged to execute OS commands and escalate to root on affected firmware up to 6.9.2; a CVSS v4 base score around the high‑8 range is reported in the advisory indicating severe impact and network attack vector.
• Firmware verification bypass / insufficient authenticity checks (CWE‑345 / CWE‑494, CVE‑2025‑53696): The boot‑time firmware integrity check misses portions of firmware that could carry malicious code, enabling potentially persistent compromise of device firmware.
• Default credentials / root account presence (CWE‑1392, CVE‑2025‑53697): A default root password exists on older firmware, and while it can be changed via shell access, its presence materially increases the attack surface where local/privileged access is required first.
• Undocumented alternate hardware interfaces (CWE‑1299, CVE‑2025‑53698 & CVE‑2025‑53699): An RJ11 serial console exposing U‑Boot (and an unprotected USB console handling keyboard input) grants physical attackers a direct route to a root shell or local command injection if the bootloader and console are not locked down.
• Insecure storage of sensitive information (CWE‑922, CVE‑2025‑53700): A private software signing key used by related NVR products is present in the controller firmware on impacted versions, enabling code signing bypass if the key is extracted.

These weaknesses are not isolated minor bugs; together they permit a range of attack paths that can lead to complete device compromise and potentially to physical access control manipulation.

---

Affected versions and vendor response​

Affected products and versions​

The advisory lists the following firmware/version relationships:

• iSTAR Ultra and iSTAR Ultra SE: Versions 6.9.2.CU02 and prior are affected by the most critical CVEs (OS command injection, firmware verification gaps, default credentials, insecure storage, etc.). Some CVEs are reported for all versions (likely indicating design issues present even beyond those builds) for specific hardware interface weaknesses.
• iSTAR Ultra G2, iSTAR Ultra G2 SE, iSTAR Edge G2: Versions 6.9.2.CU02 and prior are called out for several of the same issues; Johnson Controls reports fixes or risk reductions in firmware 6.9.3 and newer for many of these problems.

Vendor action and timeline​

Johnson Controls published product security advisories and has made firmware 6.9.3 available (the advisory notes this patch was provided in 2024 and addresses the most critical items, while reducing risk for several others). The vendor also notes the iSTAR Ultra is an older device with planned end‑of‑service timelines, and recommends considering upgrade to newer control units. Johnson Controls maintains a security advisories page listing the iSTAR advisories and recommended mitigations. (johnsoncontrols.com)
CISA has issued public ICS advisories for Johnson Controls products across the iSTAR family; CISA’s public advisories repeatedly emphasize minimizing network exposure and isolating control systems from internet access and enterprise networks as compensating controls. CISA’s broader guidance for ICS hardening is consistent with the recommendations in the vendor advisories. (cisa.gov)

---

Why these vulnerabilities matter — attack paths and impact​

Remote escalation via web interface​

The OS command injection in the web application is the most urgent issue: when a remote, authenticated operator or integrator account interacts with the device’s web UI (a common management pattern), malformed input can be passed to system shell commands. That allows an attacker, with relatively low complexity, to execute arbitrary commands and to escalate to persistent firmware-level control. If exploited across a fleet of controllers, this could enable coordinated physical access manipulation, opening doors or disabling locking mechanisms.

Persistent compromise through firmware​

The firmware verification bypass is particularly dangerous because it enables supply‑chain‑style persistence: an attacker able to inject code into the unchecked firmware region could survive reboots and updates, especially if signing verification or key protection is absent or weak. The presence of a signing key in firmware further undermines any future firmware validation by allowing an attacker to sign arbitrary firmware images.

Physical access escalation​

The undocumented RJ11 serial console and permissive USB console behavior are classic OT‑style pitfalls. With physical access to an installed controller (for example, in a poorly secured equipment room), an attacker can access bootloader or local shells and bypass network controls entirely. This is especially relevant in deployments where controllers are installed in areas that are not sufficiently locked down. The vendor manual requires restricted access install locations for a reason: these consoles were not designed with robust physical interface protection.

Credential risk​

Default or factory passwords remain one of the simplest and most effective ways to gain access. Even where a default can be changed, outbound‑of‑band exposure (stolen backups, misconfigured log collection, or leaked configuration images) can reveal credentials and accelerate compromise. The advisory documents a default root password on older builds, which increases the probability that a targeted actor will find a way to authenticate and then exploit higher‑impact flaws.

---

Practical mitigations and recommended actions (prioritized)​

The advisory and vendor guidance converge on a short list of high‑impact mitigations — implement these immediately and track completion.

Immediate (days)​

• Patch all affected controllers to the latest available firmware — install 6.9.3 or newer where supported. If a device family or specific model lacks a patchable path, plan for urgent compensating controls and hardware replacement. (johnsoncontrols.com)
• Remove or limit Internet exposure — ensure controllers and management utilities are not routable from the public Internet; block external access at perimeter firewalls. (cisa.gov)
• Segment networks — place iSTAR controllers on dedicated, strictly filtered VLANs; block lateral access from enterprise hosts and restrict flows only to necessary management endpoints. (cisa.gov)

Near term (weeks)​

• Disable web management remotely when not needed; require console‑based or maintenance windows for firmware upgrades. Where remote access is required, use hardened VPNs with strict MFA and logging. Recognize that VPN reduces exposure but does not remove the need to patch or harden local services. (cisa.gov)
• Harden credentials — change any factory/default passwords immediately, enforce strong password policies, and rotate keys used for device management and signing. Audit all accounts and remove unused administrative access.

Physical controls and process (30–90 days)​

• Restrict physical access to cabinet/room locations housing controllers (lock cabinets, controlled keys, badge access, tamper sensor monitoring). The hardware installation manual requires restricted‑access locations to reduce the risk from local consoles.
• Disable or protect alternate consoles — where firmware allows, disable serial consoles, lock U‑Boot with passwords, and restrict USB HID input behavior. If the bootloader lacks protection, treat devices as physically untrusted and isolate them.
• Monitor and log aggressively — enable structured logging, centralize logs, and monitor for unusual commands, reboots, or unexpected firmware changes. Create alerting for indicators such as repeated failed admin logins or unexpected changes to code‑signing fingerprints.

Replacement and long term (3–12 months)​

• Plan hardware replacement for end‑of‑service devices. Where Johnson Controls indicates end‑of‑service timelines (the advisory notes iSTAR Ultra is an older device with an upcoming EoS window), prioritize replacement of devices that can no longer be fully patched or that rely on insecure boot components.
• Supply‑chain and asset hygiene — maintain an up‑to‑date inventory of all controllers, firmware versions, and management utilities; map which controllers are reachable from which network segments to prioritize remediation.

---

Detection guidance and indicators of compromise​

• Sudden or unexplained changes to access control policies, door unlock events outside of scheduled windows, or anomalous sequences of locking/unlocking are high‑priority operational indicators.
• Watch for unexpected firmware update attempts, files signed with unusual keys, or unknown keys in firmware images. Extraction of signing keys from firmware is a red flag.
• Look for web UI requests containing shell metacharacters, long atypical POST payloads, or repeated administrative actions outside normal maintenance windows (possible command‑injection attempts).
• Monitor for any serial/console usage events or physical tamper alarms around controller cabinets.

---

Critical analysis — strengths, weaknesses, and risk tradeoffs​

Strengths in vendor response​

• Coordinated disclosure: The vendor published security advisories and provided firmware updates; public advisories and CISA notifications have increased awareness rapidly. This coordination is a strong positive and gives operators a clear remediation path. (johnsoncontrols.com) (cisa.gov)
• Mitigations available: A firmware release (6.9.3) addresses the most severe command‑injection issue and reduces the risk for others, enabling many organizations to rapidly reduce exposure via patching.

Persistent weaknesses and systemic risks​

• Design flaws versus patchable bugs: Several of the documented problems are architectural (inadequate firmware verification, sensitive keys embedded in firmware, bootloader protections absent). Architectural weaknesses are harder to fully remediate through incremental patches and often require hardware or design changes — meaning long‑tail risk persists where legacy hardware is still deployed.
• Physical access remains a major vector: Even with perfect network segregation, the existence of a live serial console and permissive USB console behavior means physical security lapses can directly yield full control. This is a systemic OT problem: physical and cyber security must be treated jointly.
• Operational friction of patching ICS: Many environments cannot take devices offline easily for maintenance. That reality slows patch adoption and prolongs exposure. Organizations should weigh the operational cost of patching against the much higher cost of a breach that leads to physical access loss or safety incidents.

Unverified or evolving claims — cautionary notes​

• Some CVE scoring and third‑party write‑ups in public feeds show differing CVSS values for individual CVEs. Where a CVE has not yet been fully processed in the NVD or other canonical registries, CVSS scores may be provisional or computed by the advisory authoring body; operators should rely on vendor and CISA guidance for prioritization but also validate public scoring as registries are updated. When a CVE record is absent or marked for enrichment in the NVD, treat associated numerical severity as informative but subject to revision. (nvd.nist.gov)

---

Recommended checklist for IT / OT teams (actionable)​

• Inventory: Identify all iSTAR devices (model, serial, firmware version).
• Patch: Immediately schedule and apply 6.9.3 or newer where supported; if patching is not possible, isolate the device segment and apply compensating controls.
• Credentials: Discover and rotate all default or shared credentials. Enforce unique credentials per device.
• Network: Block Internet access to controllers; restrict management to a jump host with MFA. (cisa.gov)
• Physical: Audit physical protections for cabinets; lock and monitor access.
• Replace: Prioritize replacement for controllers nearing end of service or those that cannot be upgraded.
• Monitor: Implement logging, central collection, and rules for anomalous door events and firmware/key changes.

---

Final assessment and closing perspective​

The iSTAR Ultra advisory represents a high‑risk ICS disclosure: multiple, complementary vulnerabilities provide both remote and local paths to full compromise. The presence of an OS command injection that leads to root access, combined with firmware verification gaps and an embedded signing key, raises the prospect of persistent, stealthy compromises that are difficult to eradicate without coordinated patching and hardware replacement. The immediate risk is mitigable for many operators via firmware updates (Johnson Controls released 6.9.3 in 2024), network segmentation, and hardening, but legacy deployments and devices that cannot be patched remain a material and enduring risk. (johnsoncontrols.com)
Operational resilience requires an integrated response: apply vendor patches quickly; treat device consoles and USB ports as sensitive interfaces requiring physical controls; rotate and harden credentials; and, where possible, plan to migrate off devices that are at or near end of service. The combined technical severity and the physical consequences of a successful attack on access control systems make this a priority remediation for any organization running Johnson Controls iSTAR hardware.

---

Source: CISA Johnson Controls iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, iSTAR Edge G2 | CISA