Johnson Controls iSTAR

Risk Summary

Successful exploitation of this vulnerability could result in the product failing to re-establish communication once the certificate expires.

CVEs (1)

Remediations

• Johnson Controls recommends the following mitigations:
• Host-based certificates using TLS 1.2:
• Quickest solution
• No Upgrade required to specific C•CURE or iSTAR software/firmware versions
• Requires downloading a new certificate to all iSTAR panels simultaneously, resulting in a brief system downtime
• Convert encryption mode to TLS 1.3, per cluster:
• Requires firmware 6.9.0 or higher, and C•CURE 9000 v2.90 SP3 or higher
• Enables phased implementation by cluster, minimizing disruption
• Note: TLS 1.3 is not supported on iSTAR eX, iSTAR Edge, and iSTAR Ultra LT panels
• Upgrade legacy panels to new G2 hardware:
• Recommended for smaller systems due to time constraints
• Applies primarily to iSTAR eX, iSTAR Edge, and iSTAR LT panels
• Johnson Controls strongly encourages users to work with their Software House integrators to audit their systems and determine the most appropriate course of action. Johnson Control's technical support team provides extensive documentation and instructional videos on the Support Portal, and hosts ongoing webinars covering both host-based certificate implementation and TLS 1.3 migration.
• For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2025-12 at the following location: https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories

Affected Vendors

Affected Products (5)

Affected Sectors

Commercial Facilities, Critical Manufacturing, Energy, Government Services and Facilities, Transportation Systems