Johnson Controls iSTAR Ultra Vulnerabilities: 2025 Exposure of OT Systems
Executive Summary
In December 2025, Johnson Controls publicly disclosed critical vulnerabilities (CVE-2025-43873 and CVE-2025-43874) affecting several versions of its iSTAR Ultra and Edge G2 door controllers used in building automation across critical infrastructure sectors worldwide. These OS Command Injection flaws, exploitable remotely with low attack complexity and minimal user interaction, could allow attackers to gain full control of vulnerable devices, modify firmware, and potentially disrupt or compromise secure building environments. The vulnerabilities were responsibly reported by Reid Wightman of Dragos, and patches have been made available for affected products.
This incident highlights increasing threats targeting operational technology (OT) in critical sectors, as cybercriminals and nation-state actors leverage software supply chain and device-level weaknesses for initial access. The prevalence of command injection vulnerabilities, coupled with rising demands for segmentation and zero trust architectures, elevates the urgency for organizations to update OT and IoT assets and enforce proactive defense strategies.
Why This Matters Now
Industrial control devices are increasingly targeted by sophisticated attackers aiming to exploit unpatched vulnerabilities with high business impact. The Johnson Controls incident underscores the importance of urgently patching connected OT systems, segmenting networks, and enforcing secure remote access, especially as regulatory scrutiny mounts and attackers exploit simple yet devastating vulnerabilities across critical infrastructure.
Attack Path Analysis
The attacker remotely exploited OS command injection vulnerabilities in exposed iSTAR Ultra controllers, gaining device-level access. Leveraging this foothold, they escalated privileges to gain full control of the device OS. Using their control, they attempted to move laterally across the internal network or to other controllers. The attacker then established command and control channels to maintain persistent access and issue further malicious commands. Sensitive data or device configurations could be exfiltrated via outbound traffic. Finally, the attacker could modify firmware, disrupt operations, or lock out legitimate users, causing business impact.
Kill Chain Progression
Initial Compromise
Description
Adversary exploited a remotely accessible OS command injection vulnerability in iSTAR Ultra devices to gain initial execution.
Related CVEs
CVE-2025-43873
CVSS 8.8An OS command injection vulnerability in Johnson Controls iSTAR Ultra series door controllers allows authenticated attackers to execute arbitrary commands with root privileges.
Affected Products:
Johnson Controls iSTAR Ultra – < 6.9.7.CU01
Johnson Controls iSTAR Ultra SE – < 6.9.7.CU01
Johnson Controls iSTAR Ultra LT – < 6.9.7.CU01
Johnson Controls iSTAR Ultra G2 – < 6.9.3
Johnson Controls iSTAR Ultra G2 SE – < 6.9.3
Johnson Controls iSTAR Edge G2 – < 6.9.3
Exploit Status:
no public exploitCVE-2025-43874
CVSS 8.8An OS command injection vulnerability in Johnson Controls iSTAR Ultra series door controllers allows authenticated attackers to execute arbitrary commands with root privileges.
Affected Products:
Johnson Controls iSTAR Ultra – < 6.9.7.CU01
Johnson Controls iSTAR Ultra SE – < 6.9.7.CU01
Johnson Controls iSTAR Ultra LT – < 6.9.7.CU01
Johnson Controls iSTAR Ultra G2 – < 6.9.3
Johnson Controls iSTAR Ultra G2 SE – < 6.9.3
Johnson Controls iSTAR Edge G2 – < 6.9.3
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Indirect Command Execution
Windows Management Instrumentation
Command and Scripting Interpreter
Valid Accounts
Exploit Public-Facing Application
Exploitation for Privilege Escalation
Impair Defenses
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Prevention of Commonly Exploited Vulnerabilities
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 8(2)
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Device Security and Patch Management
Control ID: Pillar: Devices – Control 2
NIS2 Directive – Vulnerability Handling and Disclosure
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Critical Manufacturing
Johnson Controls iSTAR Ultra door controllers with OS command injection vulnerabilities enable attackers to gain full device control, compromising facility access security systems.
Commercial Real Estate
Building access control systems vulnerable to remote exploitation allowing unauthorized entry, firmware modification, and complete compromise of physical security infrastructure across properties.
Government Administration
Government facilities using affected iSTAR Ultra controllers face critical security risks from remotely exploitable OS command injection enabling full device takeover and facility access.
Energy
Energy sector facilities utilizing Johnson Controls door controllers vulnerable to command injection attacks that could compromise physical security and enable unauthorized infrastructure access.
Sources
- Johnson Controls iSTAR Ultrahttps://www.cisa.gov/news-events/ics-advisories/icsa-25-345-02Verified
- Johnson Controls Product Security Advisory JCI-PSA-2025-11https://www.johnsoncontrols.com/-/media/project/jci-global/johnson-controls/us-region/united-states-johnson-controls/cyber-solutions/security-advisories/documents/jci-psa-2025-11.pdfVerified
- Johnson Controls Product Security Advisory JCI-PSA-2025-13https://www.johnsoncontrols.com/-/media/project/jci-global/johnson-controls/us-region/united-states-johnson-controls/cyber-solutions/security-advisories/documents/jci-psa-2025-13.pdfVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west isolation, and real-time network enforcement would have significantly constrained each attack phase: limiting initial exposure, blocking lateral movement, identifying anomalous behavior, and preventing unauthorized outbound data flows.
Control: Cloud Firewall (ACF)
Mitigation: Direct external-to-device exploits would be blocked by strict perimeter controls.
Control: Threat Detection & Anomaly Response
Mitigation: Unusual privilege escalation actions are rapidly identified for incident response.
Control: Zero Trust Segmentation
Mitigation: Host-to-host movement is restricted by least privilege networking policies.
Control: Inline IPS (Suricata)
Mitigation: Known C2 and exploit patterns are detected and disrupted in real time.
Control: Egress Security & Policy Enforcement
Mitigation: Unapproved outbound data flows are blocked or flagged.
Rapid detection and response to destructive or unauthorized device changes.
Impact at a Glance
Affected Business Functions
- Physical Security
- Access Control Systems
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive access control configurations and logs.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce strict perimeter firewall and segmentation for all control system devices to block unauthorized external access.
- • Deploy zero trust segmentation and least privilege policies to prevent lateral movement between workloads and ICS assets.
- • Enable inline threat detection and anomaly response to detect privilege escalation and command injection activity early.
- • Apply strict egress filtering to block unauthorized outbound connections and data exfiltration attempts.
- • Increase centralized multicloud visibility and real-time monitoring of ICS network traffic and controller behavior.
