A high-severity authenticated web application command injection vulnerability (CVE-2025-43876) has been disclosed in Johnson Controls iSTAR Ultra, Ultra SE, and Ultra G2 controllers. A successful exploit could allow an attacker to gain unauthorized access to the device and manipulate physical security settings.
Business Impact
This is a “Physical Security meets Cyber Security” risk. The iSTAR controllers manage door access and physical building security. Compromise here could allow an attacker to remotely unlock doors or disable physical alarms in high-security facilities, including data centers and corporate offices.
Why It Happened
The vulnerability exists in the `get8021xSettings` function, which fails to properly sanitize user inputs before processing them as system commands. This is a common flaw in legacy OT/ICS web interfaces.
Recommended Executive Action
OT managers should immediately update affected Johnson Controls firmware to version 6.9.7.CU01 or 6.9.3. If patching is not possible today, ensure the management interface for these controllers is isolated to a secure, non-internet-facing management VLAN.
Hashtags: #JohnsonControls #OTSecurity #ICS #PhysicalSecurity #Vulnerability #CriticalInfrastructure #InfoSec