ICSA-24-158-04 · Published 2025-07-29 · View on CISA ICS-CERT ↗

Johnson Controls Software House iStar Door Controller (Update A)

CVSS 9.1 CRITICAL

Risk Summary

Successful exploitation of this vulnerability may allow an attacker to gain unauthorized access to the iSTAR Pro door controller.

CVE-2024-32752

Johnson Controls recommends users replace the iSTAR Pro, Edge, and eX door controllers with current generation iSTAR door controllers, such as iSTAR Ultra G2 and Edge G2, which support proper authentication and prevent the ICU from making configuration changes. Ensure that iSTAR Ultra and Ultra LT door controllers are running firmware version 6.6.B or later.
For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-06-v2
Aligning with CISA recommendations, Johnson Controls recommends taking steps to minimize risks to all building automation systems.
Further ICS security notices and product security guidance are located at Johnson Controls product security websiteOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

Johnson Controls Inc.

Johnson Controls Inc. · Software House iStar Pro, Edge and eX door controllers vers:all/*

Johnson Controls Inc. · Software House iStar Ultra and Ultra LT door controllers <Firmware_6.6.B

Johnson Controls Inc. · iSTAR Configuration Utility (ICU) Tool vers:all/*

Critical Manufacturing, Commercial Facilities, Government Services and Facilities, Transportation Systems, Energy

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.