Johnson Controls iSTAR Configuration Utility (ICU) tool

Risk Summary

Successful exploitation of this vulnerability may allow an attacker to gain access to memory leaked from the ICU. This utility is only used to configure products that are no longer manufactured or supported. ICU is not used to configure the iSTAR Ultra and the current iSTAR G2 series of controllers. Furthermore, this vulnerability only impacts ICU and the Windows PC it is running on. This vulnerability does not impact iSTARs, including the legacy iSTARs.

CVEs (1)

Remediations

• Johnson Controls recommends users update ICU to Version 6.9.5 or greater.
• For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2025-06
• For assistance and additional information, please contact Johnson Controls Trust [email protected]

Affected Vendors

Affected Products (1)

Affected Sectors

Commercial Facilities, Critical Manufacturing, Energy, Government Services and Facilities, Transportation Systems