A cluster of newly highlighted vulnerabilities in Johnson Controls’ iSTAR Ultra door controllers can give attackers a direct route from a network foothold to root-level control of physical access systems, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned in an updated advisory on August 12. At the center of the alert is CVE-2025-53695, an OS command injection in the web application that — when exploited by an authenticated user — grants full root access on affected devices. The severity is compounded by five additional weaknesses that allow persistent firmware manipulation, exploitation of default credentials, and physical console takeover. Together, they create a scenario where a single compromised controller could unlock doors, disable locks, and pivot to other building management systems.

Johnson Controls made firmware version 6.9.3 available in 2024 to directly address the command injection flaw and significantly reduce risk from several other vulnerabilities, yet thousands of controllers deployed worldwide likely remain unpatched. CISA’s advisory, ICSA-25-224-02, lists all six CVEs and reinforces the manufacturer’s guidance that operators must upgrade immediately and implement compensating controls — especially because the iSTAR Ultra line is approaching its planned end-of-service, leaving a shrinking window for software fixes.

The Vulnerability Cluster: What’s at Stake

The advisory details six distinct weaknesses that, in combination, represent a complete failure of defense-in-depth. They are:

  • CVE-2025-53695 — OS Command Injection (CVSS v4 score in the high‑8 range)
    An authenticated attacker can send specially crafted inputs through the web management interface to execute arbitrary operating system commands. Successful exploitation leads to immediate root access on devices running firmware up to 6.9.2.CU02. This is the most dangerous of the bunch because the web UI is often reachable from corporate networks and, in some misconfigured installations, from the internet.

  • CVE-2025-53696 — Firmware Verification Bypass
    The boot-time integrity check misses portions of the firmware that could be injected with malicious code. An attacker who gains write access — for example, via the command injection above — can install hidden, persistent implants that survive reboots and standard firmware updates.

  • CVE-2025-53697 — Default Root Credentials
    Older firmware builds include a factory‑set root password. Even if the password can be changed through the shell, its mere presence increases the attack surface for any actor who obtains local or remote administrative access.

  • CVE-2025-53698 and CVE-2025-53699 — Alternate Hardware Interfaces
    An undocumented RJ11 serial console exposes the U‑Boot bootloader, and an unprotected USB console directly accepts keyboard input. With physical access to a controller cabinet — often left unlocked in a maintenance closet — an intruder can bypass network defenses entirely and land in a root shell.

  • CVE-2025-53700 — Insecure Storage of a Signing Key
    A private software signing key used by related NVR products is embedded inside the controller firmware. If extracted, this key allows an attacker to sign malicious firmware images that appear legitimate, undermining any future code‑signing protections.

“These weaknesses are not isolated minor bugs,” the windowsforum analysis notes. “Together they permit a range of attack paths that can lead to complete device compromise and potentially to physical access control manipulation.”

Affected Products and the Patch Window

The following models are confirmed to be vulnerable when running firmware version 6.9.2.CU02 or earlier:

  • iSTAR Ultra
  • iSTAR Ultra SE
  • iSTAR Ultra G2
  • iSTAR Ultra G2 SE
  • iSTAR Edge G2

Johnson Controls states that firmware 6.9.3, released in 2024, fixes the command injection (CVE-2025-53695) and reduces risk for CVE-2025-53696, CVE-2025-53697, and CVE-2025-53700. However, for scenarios where an attacker already has physical proximity, users are urged to upgrade further to version 6.9.8, which includes additional hardening of the bootloader and console interfaces. A crucial detail: the iSTAR Ultra is an older hardware platform, and Johnson Controls has announced that its end‑of‑service date is now less than a year away. Organizations still running these devices face a narrowing window in which to patch and begin migration to newer control units.

How the Attacks Unfold: From Web UI to Open Doors

Exploitation can follow several paths depending on the access vector available to the adversary.

Remote escalation via the web interface. An attacker who captures a valid management session — by phishing an integrator’s credentials, reusing a leaked password, or exploiting another baseline breach — can feed malformed inputs into the iSTAR web UI. The command injection flaw then allows them to execute shell commands as the root user. From there, they can alter the device’s access control rules, unlock specific doors, or disable all locking mechanisms simultaneously.

Firmware‑level persistence. Once root access is achieved, the firmware verification bypass enables injection of code into unchecked memory regions. The result is a “supply chain in reverse” — a permanent backdoor that can listen for covert commands, exfiltrate cardholder data, or wait for a trigger to disable physical security during a break‑in. The presence of the signing key means that if the attacker ever extracts it, they can produce malicious firmware that passes future signature checks, making cleanup extraordinarily difficult.

Physical console takeover. The RJ11 and USB consoles shift the threat model to the physical realm. Many iSTAR Ultra units are installed in utility rooms, corridors, or wall‑mounted enclosures that lack tamper‑evident seals or alarm sensors. By plugging into the serial port while the controller boots, an intruder can interrupt U‑Boot and gain a root shell without any credentials. The USB console similarly accepts keyboard input even before the OS loads, providing another route to local command injection. The installation manual itself requires that controllers be placed in “restricted access” areas, but post‑deployment audits often reveal lapses.

Default credentials as a force multiplier. Even where an attacker only obtains a limited foothold, the presence of a known root password on older firmware can quickly transform a small misconfiguration into full compromise. Leaked backup files, exposed configuration snippets, or insider knowledge can all put that password into malicious hands.

Mitigations: What Operators Must Do Now

Given the consequences of a breach, security teams should treat this advisory as a priority‑one incident. The following actions, ranked by urgency, draw from both CISA’s recommendations and the detailed breakdown provided in the windowsforum community analysis.

Immediate (days)

  • Patch to the latest firmware. Install version 6.9.3 or newer on every supported device. If a model cannot accept the update, isolate it and begin planning its replacement. For controllers in high‑risk physical locations, aim for firmware 6.9.8.
  • Eliminate internet exposure. Verify that no iSTAR controller or management utility is reachable from the public internet. Block inbound traffic at the perimeter firewall.
  • Segment networks. Place all door controllers on a dedicated, strictly filtered VLAN. Allow communication only with authorized management servers and block lateral traffic from enterprise workstations and visitor networks.

Near term (weeks)

  • Disable Pro Mode. Dragos and Johnson Controls both recommend running controllers in “Ultra Mode” rather than the legacy “Pro Mode,” which may expose additional services.
  • Harden remote management. If remote access is unavoidable, require a VPN with multi‑factor authentication, limit session durations, and log every action. Disable the web UI when not actively being used for maintenance.
  • Rotate all credentials. Change any default or shared passwords immediately. Enforce strong, unique credentials per controller, and audit account lists to remove unnecessary administrative users.

Physical controls and process (30–90 days)

  • Lock down cabinets. Ensure all controller enclosures are in locked rooms or cabinets with controlled key access. Add tamper sensors that trigger alarms on unauthorized opening.
  • Disable or protect alternate consoles. Where firmware allows, disable the serial console, password‑protect U‑Boot, and restrict USB keyboard behavior. If the bootloader cannot be secured, treat the device as physically compromised and air‑gap it.
  • Intensify logging and monitoring. Centralize logs from all controllers, firewalls, and authentication systems. Automate alerts for anomalous door events (unexpected unlocks, policy changes), repeated failed admin logins, and any occurrence of shell metacharacters in web requests or console activity.

Long term (3–12 months)

  • Replace end‑of‑service hardware. With the iSTAR Ultra nearing its sunset date, accelerate migration to modern controllers that support signed firmware updates, encrypted communications, and robust bootloader protections.
  • Maintain asset hygiene. Continually update an inventory of all controllers, firmware versions, and network reachability. This mapping is essential for prioritizing patches and for incident response.

Assessing the Vendor Response: Strengths and Lingering Gaps

Johnson Controls’ handling of the disclosure has been a mixed bag. On the positive side, the company coordinated with CISA, published explicit security advisories, and delivered a firmware update — 6.9.3 — that directly closes the most critical command injection hole. The availability of CISA’s advisory also accelerates awareness across the ICS community.

However, several of the documented weaknesses are architectural in nature. A bootloader that lacks industry‑standard protections, a signing key baked into firmware, and physical interfaces that offer unrestricted root access are design flaws, not one‑off coding mistakes. These cannot be completely eradicated by an incremental patch; they demand a hardware redesign. For the iSTAR Ultra, the impending end‑of‑service date means that such a redesign will never come — only replacement will eliminate the risks.

Physical access, the community analysis stresses, remains a systemic OT problem. Even the most tightly segmented network offers no protection against an attacker who can walk up to a controller and plug in a serial cable. Organizations must recognize that their cyber and physical security teams now share a single threat surface.

Finally, there is an operational friction that plagues OT environments: taking a door controller offline for a firmware update is often seen as riskier than leaving a vulnerability in place. That mindset must change. The cost of a few hours of scheduled downtime pales in comparison to a breach that results in stolen assets, safety incidents, or a complete loss of building access control.

The Call to Action Is Unambiguous

The iSTAR Ultra advisory is not another patch‑Tuesday notice. It describes a set of interconnected flaws that, if left unaddressed, could allow an adversary to walk through locked doors as if they had the keys. The immediate fix — upgrading to firmware 6.9.3 or newer — is straightforward for most deployments and should be executed without delay. For devices that cannot be patched, aggressive network isolation and physical lockdown are the only viable stopgaps until replacement hardware can be deployed.

Physical access control systems have crossed the IT/OT divide; they are now a first‑class cybersecurity target. The teams responsible for them must respond with the same speed and rigor that they would apply to a critical server vulnerability. Johnson Controls has provided the tools; it is up to the defenders to use them before the attackers do.