Critical Vulnerabilities in Johnson Controls iSTAR Devices Expose Critical Infrastructure—What You Need to Know
Executive Summary
In December 2025, Johnson Controls disclosed two critical vulnerabilities (CVE-2025-43875, CVE-2025-43876) affecting its iSTAR Ultra and Edge G2 access control devices worldwide. These vulnerabilities—improper neutralization of special elements used in OS commands (CWE-78)—can be exploited remotely with low complexity and limited privileges, potentially granting attackers unauthorized access to devices deployed across critical sectors, including commercial facilities, manufacturing, energy, transportation, and government. There are currently no reports of active exploitation, but if leveraged, these flaws could compromise physical security and facility operations.
This incident underscores the persistent cybersecurity challenges in operational technology and building automation environments. The disclosure highlights an urgent need for regular patching, segregation of critical controls, and adoption of defensive measures, especially as threat actors increasingly target industrial and physical security systems with potentially far-reaching consequences.
Why This Matters Now
Such vulnerabilities in building automation devices, widely deployed in critical infrastructure, present immediate risks of unauthorized physical and logical access. As attacker interest in operational and industrial control systems grows, prompt mitigation is essential to prevent potential exploitation and major security breaches.
Attack Path Analysis
Attackers exploited a remote command injection vulnerability in the Johnson Controls iSTAR Ultra devices to gain an initial foothold. Post-compromise, they obtained limited device-level privileges that could be further abused. The attackers likely attempted to move laterally within the building automation or connected networks seeking broader access. Command and control channels were established from compromised devices to the attacker’s infrastructure, possibly over unencrypted or covert egress paths. Sensitive data or device configurations were then exfiltrated from the environment. Finally, the attackers could cause disruptive impact by issuing arbitrary system-level commands, potentially manipulating access controls or disrupting building operations.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited the improper neutralization of special elements in OS commands (CVE-2025-43875/43876) on internet-exposed iSTAR Ultra devices, remotely injecting malicious payloads to gain initial access.
Related CVEs
CVE-2025-43875
CVSS 8.8An OS command injection vulnerability in Johnson Controls iSTAR Ultra series door controllers allows authenticated remote attackers to execute arbitrary commands.
Affected Products:
Johnson Controls iSTAR Ultra – < 6.9.7.CU01
Johnson Controls iSTAR Ultra SE – < 6.9.7.CU01
Johnson Controls iSTAR Ultra G2 – < 6.9.3
Johnson Controls iSTAR Ultra G2 SE – < 6.9.3
Johnson Controls iSTAR Edge G2 – < 6.9.3
Exploit Status:
no public exploitCVE-2025-43876
CVSS 8.8An OS command injection vulnerability in Johnson Controls iSTAR Ultra series door controllers allows authenticated remote attackers to execute arbitrary commands.
Affected Products:
Johnson Controls iSTAR Ultra – < 6.9.7.CU01
Johnson Controls iSTAR Ultra SE – < 6.9.7.CU01
Johnson Controls iSTAR Ultra G2 – < 6.9.3
Johnson Controls iSTAR Ultra G2 SE – < 6.9.3
Johnson Controls iSTAR Edge G2 – < 6.9.3
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
User Execution
Command and Scripting Interpreter
Exploit Public-Facing Application
Valid Accounts
External Remote Services
Impair Defenses
Remote Services
System Information Discovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of system components after significant changes
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy Requirements
Control ID: 500.03
NIS2 Directive – Vulnerability management and reporting
Control ID: Article 21(2)(d)
CISA ZTMM 2.0 – Application Security Controls
Control ID: Pillar 3: Workload Security, Practice 3.2
DORA (Digital Operational Resilience Act) – ICT risk management requirements
Control ID: Article 9(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Commercial Facilities
Johnson Controls iSTAR building automation systems face critical command injection vulnerabilities enabling unauthorized device access and potential facility control compromise across commercial properties.
Critical Manufacturing
Manufacturing facilities using iSTAR systems vulnerable to OS command injection attacks allowing unauthorized access to industrial control systems and potential production disruption.
Energy
Energy sector infrastructure utilizing Johnson Controls iSTAR devices exposed to remote command execution vulnerabilities threatening operational technology security and grid stability controls.
Government Facilities
Government buildings with iSTAR automation systems face high-severity vulnerabilities enabling unauthorized access, compromising facility security controls and sensitive operational environments.
Sources
- Johnson Controls iSTARhttps://www.cisa.gov/news-events/ics-advisories/icsa-25-345-01Verified
- Johnson Controls Security Advisorieshttps://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisoriesVerified
- NVD - CVE-2025-43875https://nvd.nist.gov/vuln/detail/CVE-2025-43875Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, granular network policy enforcement, encrypted east-west and egress flows, and inline anomaly detection could have prevented remote exploitation, restricted lateral attacker movement, and rapidly detected unauthorized command activity throughout the attack lifecycle.
Control: Zero Trust Segmentation
Mitigation: External attackers would be unable to directly reach exposed or sensitive devices.
Control: Threat Detection & Anomaly Response
Mitigation: Privileged misuse or command execution anomalies would trigger rapid detection and alerts.
Control: East-West Traffic Security
Mitigation: Lateral movement between critical devices is blocked or monitored.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound command-and-control connections are automatically blocked or flagged.
Control: Encrypted Traffic (HPE) & Cloud Firewall (ACF)
Mitigation: Unapproved data exfiltration is prevented and traffic is secured.
Rapid detection and containment of destructive actions.
Impact at a Glance
Affected Business Functions
- Physical Security Management
- Access Control Systems
Estimated downtime: 3 days
Estimated loss: $50,000
Potential unauthorized access to secure areas and sensitive data due to compromised access control systems.
Recommended Actions
Key Takeaways & Next Steps
- • Apply Zero Trust segmentation to strictly isolate all control and building automation devices from direct internet or business network access.
- • Enforce east-west microsegmentation to prevent unauthorized lateral movement between workloads and devices within operational networks.
- • Enable egress filtering and inspection to block unauthorized outbound connections, preventing both C2 and exfiltration attempts.
- • Deploy real-time anomaly detection to quickly identify and contain privilege escalation, unexpected administrative actions, or destructive commands.
- • Mandate end-to-end encryption for all device communications, ensuring data in transit is protected from interception or manipulation.
