The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a stark warning to organizations using Johnson Controls iSTAR access controllers: two newly disclosed vulnerabilities could allow attackers to seize full control of the devices, opening doors, disabling alarms, and tampering with firmware. The flaws, both rated 8.8 on the CVSS scale, affect a range of iSTAR models deployed worldwide in commercial buildings, government facilities, and critical infrastructure. Johnson Controls has released firmware patches, and CISA is urging immediate action to prevent exploitation.

The Vulnerability Details

CISA advisory ICSA-25-345-02 describes two OS command injection vulnerabilities, assigned CVE-2025-43873 and CVE-2025-43874. The affected products span the entire iSTAR family, with distinct fixed firmware baselines for different hardware generations.

iSTAR Ultra, Ultra SE, and Ultra LT – mainstream controllers handling complex door networks – are vulnerable in all firmware versions prior to 6.9.7.CU01.

iSTAR Ultra G2, Ultra G2 SE, and Edge G2 – the second-generation line known for faster processing – need firmware 6.9.3 or later to close the hole.

The vulnerabilities arise because the controllers’ web and diagnostic interfaces accept user-supplied input that is then concatenated directly into shell commands without proper sanitization. An authenticated attacker – even one with low privileges – can inject shell metacharacters or command fragments, causing the device to execute arbitrary commands with root-level access. Once an attacker achieves code execution, they can modify firmware, install persistent backdoors, read configuration data, or manipulate physical access controls.

Both CVEs carry a CVSS v3.1 base score of 8.8 and a CVSS v4 score of 8.7. The vector string highlights the danger: the attacks are network-accessible, have low attack complexity, and require only low privileges without any user interaction. Successful exploitation leads to a total compromise of confidentiality, integrity, and availability.

Dragos researcher Reid Wightman discovered the flaws and reported them through coordinated vulnerability disclosure channels. Johnson Controls released corresponding product security advisories JCI-PSA-2025-11 and JCI-PSA-2025-13, and there is no evidence of active exploitation in the wild so far.

Who’s Affected and What’s at Stake

iSTAR controllers serve as the brains of C•CURE access control systems, handling badge readers, door strikes, alarm inputs, and communication with central management servers. They are installed in airports, data centers, government offices, hospitals, and critical manufacturing plants across the globe.

A compromised controller hands an attacker the keys to the physical world. They could silently unlock doors, disable alarms, suppress audit logs, or lock occupants inside or out. Beyond physical safety, the controllers can become a pivot point into corporate IT networks. Many organizations connect them to building management VLANs that also host Windows-based management workstations, surveillance servers, or corporate Wi-Fi controllers. Once inside that flat network, an attacker can move laterally to compromise business-critical systems.

For facilities teams, the immediate fear is physical security failure. For IT security teams, the concern is an unmonitored Linux device now running adversarial code and reaching out to the internet. For compliance officers, the issue becomes a SOX or NERC-CIP audit nightmare because door logs can be erased, and integrity checks can be bypassed.

Why These Bugs Are Different

Historically, command injection in IoT devices required chaining multiple weaknesses or physical access. Here, the attack surface is the built-in web interface that technicians use for maintenance and configuration. Many organizations expose these interfaces on internal engineering networks, assuming they are safe from external threats. But a compromised VPN account, a malware-infected integrator laptop, or even a malicious insider with legitimate low-privilege credentials could trigger the vulnerability. The low attack complexity and absence of a patch for older firmware versions heighten the risk.

Moreover, the iSTAR family has a long deployment lifecycle. Controllers often remain in service for a decade or more, and firmware updates are not as routine as patching a server. Some facilities still run 6.5.x or 6.8.x branches, which are now vulnerable. The push to upgrade to 6.9.7.CU01 or 6.9.3 represents a significant leap for those environments.

What to Do Now: A 7-Day Action Plan

If you operate iSTAR controllers, treat this as an emergency-priority event. Below is a step-by-step timeline to triage, patch, and verify.

Day 1–2: Inventory and Isolate

  • Locate every iSTAR controller on your network. Use configuration management databases, DHCP logs, or network scanners to identify MAC addresses and IP ranges.
  • Immediately remove any Internet-facing access. Block external access to the controllers’ HTTP/HTTPS management ports. Place them behind a firewall with strict access control lists that only allow connections from designated management hosts.
  • Move controllers to a dedicated VLAN segmented from the corporate LAN. CISA specifically recommends minimizing network exposure as the first line of defense.

Day 3–4: Patch and Credential Rotation

  • Download the correct firmware package from the Johnson Controls Product Security Advisory portal. For Ultra/SE/LT devices, upgrade to 6.9.7.CU01 or higher. For G2/Edge G2, upgrade to 6.9.3 or higher.
  • Apply the update during a planned maintenance window, following the vendor’s documented procedure exactly. Test that door functions return to normal after the reboot.
  • After patching, change all administrative passwords on the controllers. If you were using default credentials (a common bad practice), rotate them immediately.
  • If the controllers use TLS certificates for communication, replace any default certificates with ones from your internal PKI. Rotate any SSH keys or tokens that may have been exposed.

Day 5: Verify Firmware Integrity

  • Compare the running firmware checksum against the vendor-published hash. Johnson Controls provides verification tools; use them on each unit.
  • Look for unexpected files, cron jobs, or outbound network connections from the controllers that could indicate a prior compromise.
  • Run a baseline filesystem snapshot against the vendor’s clean image. If you detect discrepancies, treat the device as potentially compromised and initiate incident response.

Day 6–7: Monitor and Harden

  • Enable logging of all authentication attempts and configuration changes on the controllers. Forward logs to a central, tamper-resistant collector.
  • Monitor for anomalous login attempts, unexpected TLS certificate changes, or sudden firmware version rollbacks.
  • Hunt for indicators of compromise: unknown processes, new user accounts, or outbound connections to strange IPs.
  • Implement additional hardening: disable unused diagnostic interfaces, activate “Pro Mode” protections if available, and physically secure the controller enclosures to prevent console access.

For facilities that cannot immediately upgrade, CISA advises deploying compensating controls such as strict network isolation, jump hosts with multi-factor authentication, and continuous integrity monitoring. Plan a hardware refresh if the controllers are too old to accept the required firmware.

The Broader Landscape of Connected Physical Security

The iSTAR disclosure is the latest in a string of industrial control system vulnerabilities that highlight the convergence of IT and operational technology. Over the past five years, dozens of advisories have exposed similar command injection or authentication bypass issues in building automation systems, from HVAC controllers to elevator management panels. The iSTAR family’s wide deployment in critical sectors — energy, transportation, government — makes it a high-value target for both cybercriminals and nation-state actors.

Researchers and government agencies have long warned that physical security devices are being added to IP networks without the same scrutiny applied to servers or workstations. In many organizations, the responsibility for these devices falls between facilities and IT, leaving security gaps. The Johnson Controls advisory reinforces the need for cross-functional governance: IT must treat door controllers as critical endpoints, and facilities teams must accept that patch management is now part of their operational routine.

Outlook: What to Watch Next

Expect additional advisories from Johnson Controls and CISA as the broader iSTAR platform undergoes deeper security review. Industry analysts foresee a push for mandatory update mechanisms, signed firmware, and secure boot in next-generation access controllers. For now, organizations should track the Johnson Controls Trust Center and the CISA ICS advisory page for any further updates.

The absence of public exploitation so far provides a narrow window to patch before attacks appear. The similarities to previous IoT exploitation patterns — where attackers reverse-engineered patches to develop exploits within days — mean that every hour counts.