Johnson Controls iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, iSTAR Edge G2 (Update A)

Risk Summary

Successful exploitation of these vulnerabilities may allow an attacker to modify firmware and access the space that is protected by the device.

CVEs (6)

Remediations

• Johnson Controls made firmware version 6.9.3 available in 2024 to fix CVE-2025-53695 and lower the risk of exploitation for CVE-2025-53696, CVE-2025-53697, and CVE-2025-53700.
• Johnson Controls recommends users upgrade iStar Ultra and Ultra SE door controllers to version 6.9.8 to protect for cases where the attacker has physical access to the door controller.
• According to Johnson Controls, the iSTAR Ultra is an older device that has a planned end of service date within a year from this publication. Johnson Controls recommends users consider upgrading to a newer control unit. The hardware installation manual for iSTAR Ultra requires all control units be installed in a restricted access, protected area to lower the risk of physical tampering.
• For more detailed mitigation instructions, see Johnson Controls Product Security Advisory JCI-PSA-2025-10.
• For assistance and additional information, contact Johnson Controls Trust Center.
• Dragos recommends end users place the following network restrictions around iSTAR controllers, regardless of model or firmware version:
• Pro Mode on iSTAR Ultra and iSTAR Ultra door controllers should be disabled. Use "Ultra Mode."

Affected Vendors

Affected Products (10)

Affected Sectors

Critical Manufacturing