Johnson Controls iSTAR Certificate Expiry Flaw: 2025 ICS Vulnerability Explained
Executive Summary
In December 2025, Johnson Controls disclosed a critical vulnerability (CVE-2025-61736) affecting its iSTAR series access control panels. The flaw, classified as improper validation of certificate expiration, could cause affected devices to lose communication with their C•CURE Server once the default certificate expires. This disruption, impacting multiple critical infrastructure sectors worldwide, stems from older panel versions utilizing TLS versions prior to 1.2, thereby exposing systems to operational risk and service interruptions. While no public exploitation has been reported, timely mitigation is necessary to prevent outages.
This incident highlights the ongoing importance of robust certificate management and timely upgrades in the face of tightening compliance demands and evolving threat landscapes. With operational technology environments increasingly targeted, companies must address outdated encryption protocols to maintain business continuity and regulatory alignment.
Why This Matters Now
As legacy OT and IoT systems remain widespread in critical sectors, vulnerabilities tied to outdated protocols and weak certificate management present urgent operational and regulatory risks. The Johnson Controls incident underlines the need for proactive refresh cycles and strong crypto hygiene as attackers, auditors, and regulators alike place greater scrutiny on access control infrastructures.
Attack Path Analysis
An attacker exploits the certificate expiration validation flaw to disrupt trust establishment in iSTAR controllers, gaining unauthorized access at the network edge. Lacking proper validation and segmentation, the attacker may escalate privileges by impersonating or intercepting further communications. The lack of east-west controls could allow lateral movement to adjacent control systems. If unmonitored, the attacker could establish covert channels for command and control, send malcrafted or exfiltrated data outward, and finally cause system disruption or denial of service once the expired certificate cuts off communications between controllers and management servers.
Kill Chain Progression
Initial Compromise
Description
Attacker exploits an improper validation of certificate expiration (CWE-298), leveraging expired or default certificates during connection attempts to the C•CURE server, potentially gaining unauthorized network access or disrupting trusted session establishment.
Related CVEs
CVE-2025-61736
CVSS 6.5Improper validation of certificate expiration in Johnson Controls iSTAR products may prevent re-establishing communication upon certificate expiry.
Affected Products:
Johnson Controls iSTAR eX – All versions prior to TLS 1.2
Johnson Controls iSTAR Edge – All versions prior to TLS 1.2
Johnson Controls iSTAR Ultra LT – All versions prior to TLS 1.2
Johnson Controls iSTAR Ultra – All versions prior to TLS 1.2
Johnson Controls iSTAR Ultra SE – All versions prior to TLS 1.2
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Adversary-in-the-Middle
Develop Capabilities: Malware
Exploit Public-Facing Application
Container Administration Command
Impair Defenses: Disable or Modify Tools
Endpoint Denial of Service: Network Denial of Service
Data Manipulation: Transmitted Data Manipulation
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Use Strong Cryptography for Authentication
Control ID: 8.4.2
NIS2 Directive – Security of Network and Information Systems
Control ID: Art. 21(2)(d)
NYDFS 23 NYCRR 500 – Encryption of Nonpublic Information
Control ID: 500.15
DORA (Digital Operational Resilience Act) – ICT Security Policies and Procedures
Control ID: Article 9(2)(b)
CISA ZTMM 2.0 – Certificate Lifecycle Management
Control ID: Control 3.2
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Commercial Facilities
Physical access control systems using Johnson Controls iSTAR face communication failures after certificate expiration, compromising building security and occupant safety management.
Critical Manufacturing
Manufacturing facilities relying on iSTAR access control systems risk operational disruption and security breaches when certificate validation failures disable facility protection systems.
Government Facilities
Government buildings using affected iSTAR systems may experience complete access control failure, creating security vulnerabilities for sensitive facilities and personnel protection.
Transportation
Transportation hubs and infrastructure using iSTAR access control face certificate-related system failures, potentially disrupting secure facility operations and passenger safety protocols.
Sources
- Johnson Controls iSTARhttps://www.cisa.gov/news-events/ics-advisories/icsa-25-338-04Verified
- NVD - CVE-2025-61736https://nvd.nist.gov/vuln/detail/CVE-2025-61736Verified
- Johnson Controls Security Advisorieshttps://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisoriesVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, encrypted traffic enforcement, egress controls, and anomaly detection would have significantly constrained this kill chain by preventing unauthorized access, impeding lateral movement, and detecting abnormal network behaviors associated with certificate misuse or disruption.
Control: Encrypted Traffic (HPE)
Mitigation: Prevents interception or misuse of certificate-based sessions.
Control: Zero Trust Segmentation
Mitigation: Restricts privilege escalation to explicitly authorized identities only.
Control: East-West Traffic Security
Mitigation: Detects and blocks unauthorized lateral network flows.
Control: Threat Detection & Anomaly Response
Mitigation: Detects anomalous outbound command patterns and triggers incident response.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks exfiltration attempts via strict egress filtering and application-to-internet controls.
Limits blast radius and facilitates rapid isolation during active incidents.
Impact at a Glance
Affected Business Functions
- Access Control Systems
Estimated downtime: 2 days
Estimated loss: $50,000
No data exposure; potential for operational disruption due to communication failure.
Recommended Actions
Key Takeaways & Next Steps
- • Implement line-rate encrypted traffic inspection (HPE) for all device-to-server connections to prevent exploitation of expired or misused certificates.
- • Enforce Zero Trust segmentation policies to strictly isolate critical ICS workloads and prevent unauthorized lateral movement.
- • Apply continuous east-west traffic monitoring and anomaly detection across industrial control networks.
- • Deploy strict egress controls with FQDN filtering to block exfiltration and unauthorized outbound connections from control devices.
- • Integrate CNSF inline threat prevention and automated policy enforcement to quickly detect and contain certificate or communication-based attacks.
