Johnson Controls iSTAR ICU Tool Faces Critical Stack Buffer Overflow Vulnerability
Executive Summary
In January 2026, Johnson Controls Inc. disclosed a significant vulnerability (CVE-2025-26386) affecting its iSTAR Configuration Utility (ICU) tool, versions up to 6.9.7. The issue, a stack-based buffer overflow, could be exploited by a remote attacker, potentially causing a failure in the operating system hosting the ICU tool. Although there have been no reported cases of active exploitation as of the disclosure, the vulnerability poses a risk to critical infrastructure sectors—including commercial facilities, energy, and government services—where the affected product is widely deployed.
Security researchers at Tenable responsibly reported the flaw to CISA, who published the advisory. This incident rolls out against the backdrop of increasing attention to the cybersecurity of operational technology (OT) in industrial and critical infrastructure, with regulators and operators emphasizing timely patching and network segmentation practices to prevent lateral movement and operational disruption.
Why This Matters Now
This vulnerability highlights persistent exposure risks in operational technology environments, where legacy components can become high-value targets for attackers. With OT security incidents on the rise, organizations must prioritize timely updates, network isolation, and proactive monitoring to prevent exploitation that could jeopardize safety, continuity, and regulatory compliance.
Attack Path Analysis
An attacker exploited a stack-based buffer overflow (CVE-2025-26386) in the Johnson Controls iSTAR Configuration Utility (ICU) tool to achieve initial access to the target system. After compromising the application, they sought to escalate privileges to execute arbitrary code. With heightened privileges, the attacker could attempt lateral movement within the internal network, targeting adjacent systems. The attacker established command and control using outbound network connections to remotely manage the compromised host. If possible, the attacker may have exfiltrated sensitive configuration data or credentials. Ultimately, the exploitation led to service disruption or denial of service, impacting the OS and the critical application hosting environment.
Kill Chain Progression
Initial Compromise
Description
Attacker exploited the stack-based buffer overflow vulnerability (CVE-2025-26386) remotely, leveraging network exposure of the ICU tool.
Related CVEs
CVE-2025-26386
CVSS 7.1A stack-based buffer overflow vulnerability in the iSTAR Configuration Utility (ICU) tool allows an attacker to cause a failure within the operating system of the machine hosting the ICU tool.
Affected Products:
Johnson Controls Inc. iSTAR Configuration Utility (ICU) tool – <=6.9.7
Exploit Status:
no public exploitCVE-2025-26383
CVSS 6.3The iSTAR Configuration Utility (ICU) tool leaks memory, which could result in the unintended exposure of unauthorized data from the Windows PC that ICU is running on.
Affected Products:
Johnson Controls Inc. iSTAR Configuration Utility (ICU) tool – <6.9.5
Exploit Status:
no public exploitCVE-2025-26382
CVSS 9.3Under certain circumstances, the iSTAR Configuration Utility (ICU) tool could have a buffer overflow issue.
Affected Products:
Johnson Controls Inc. iSTAR Configuration Utility (ICU) tool – <6.9.5
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
User Execution
Exploitation for Privilege Escalation
Endpoint Denial of Service
Exploitation of Remote Services
Exploit Public-Facing Application
Impair Defenses
Command and Scripting Interpreter
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Address Commonly Exploited Vulnerabilities
Control ID: 6.2.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Asset Inventory and Vulnerability Management
Control ID: Device - Asset Management
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Commercial Real Estate
Stack-based buffer overflow in Johnson Controls iSTAR Configuration Utility threatens building access control systems, requiring immediate updates to prevent operational failures.
Critical Manufacturing
Manufacturing facilities using Johnson Controls access systems face high-severity vulnerability enabling system compromise and potential production disruption through buffer overflow attacks.
Oil/Energy/Solar/Greentech
Energy sector infrastructure relying on Johnson Controls security systems vulnerable to remote exploitation causing operational system failures and facility access disruptions.
Government Administration
Government facilities using affected iSTAR configuration tools face critical security risks requiring immediate patching to prevent unauthorized access and system compromise.
Sources
- Johnson Controls Inc. iSTAR Configuration Utility (ICU) toolhttps://www.cisa.gov/news-events/ics-advisories/icsa-26-022-04Verified
- Product Security Advisory JCI-PSA-2025-06https://www.johnsoncontrols.com/-/media/project/jci-global/johnson-controls/us-region/united-states-johnson-controls/cyber-solutions/security-advisories/documents/jci-psa-2025-06.pdfVerified
- Product Security Advisory JCI-PSA-2025-04https://www.johnsoncontrols.com/-/media/project/jci-global/johnson-controls/us-region/united-states-johnson-controls/cyber-solutions/security-advisories/documents/jci-psa-2025-04.pdfVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying CNSF and Zero Trust controls such as inline IPS, Zero Trust Segmentation, east-west traffic security, and egress policy enforcement would have significantly reduced the attack surface, contained lateral movement, and detected or blocked exploit and exfiltration attempts even if the application was vulnerable.
Control: Inline IPS (Suricata)
Mitigation: Exploit traffic is detected and blocked at the network perimeter.
Control: Zero Trust Segmentation
Mitigation: Workload access is tightly limited, reducing available privilege escalation paths.
Control: East-West Traffic Security
Mitigation: Unauthorized lateral communications are detected and blocked.
Control: Multicloud Visibility & Control
Mitigation: Anomalous outbound connections are detected and alerted in near real-time.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized outbound data transfers are blocked or flagged.
Attack progression is rapidly detected and contained.
Impact at a Glance
Affected Business Functions
- Access Control Management
Estimated downtime: 2 days
Estimated loss: $50,000
Potential exposure of sensitive access control configurations and user credentials due to memory leak vulnerability.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately upgrade ICU tool to the vendor-fixed version and monitor for attempted exploits.
- • Deploy inline IPS and egress policy enforcement to detect and stop CVE-based attacks at the perimeter.
- • Implement Zero Trust Segmentation and east-west traffic security to contain attackers and prevent lateral movement across critical workloads.
- • Enhance visibility and anomaly detection to rapidly identify suspicious outbound connections and stop data exfiltration attempts.
- • Continuously review and test security controls for emerging vulnerabilities and ensure maintenance of least privilege access across all systems.
