← Back to home
ICSA-25-114-05  ·  Published 2025-05-06  ·  View on CISA ICS-CERT ↗

Johnson Controls Software House iSTAR Configuration Utility (ICU) Tool

CVSS 9.8 CRITICAL

Risk Summary

Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code.

CVEs (1)

Remediations

  • Johnson Controls recommends users upgrade ICU to Version 6.9.5 or greater.
  • For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2025-04.
  • Aligning with CISA recommendations, Johnson Controls recommends taking steps to minimize risks to all building automation systems.

Affected Vendors

Johnson Controls Inc.

Affected Products (1)

Johnson Controls Inc. · ICU <6.9.5

Affected Sectors

Critical Manufacturing, Commercial Facilities, Government Services and Facilities, Transportation Systems, Energy

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more