Universal Boot Loader (U-Boot) (Update A)

Risk Summary

Successful exploitation of this vulnerability could result in arbitrary code execution.

CVEs (1)

Remediations

• Konsulko, the third-party maintainer of U-boot, recommends users upgrade to version v2025.4 or later and ensure the physical security of the device.
• Qualcomm recommends users with the affected chips to contact support referencing CVE-2025-24857, QPSIIR-1969 or CR4082905.
• Johnson Controls recommend users to consider the following defensive measure: (1) Deploy Airwall in a physically secure location so an attacker can't plug in USB devices. (2) Restrict physical access to USB A ports (not the micro-USB console port which is not affected) by sealing them with epoxy or a similar material. (3) For Airwall 75 gateways running U-Boot version 2017.03 and before (version number is displayed on the console port as the Airwall gateway boots), install hotfix hf-3303 to update U-Boot. Hotfix can be downloaded from https://webhelp.tempered.io/content/topics/downloads_hotfixes.html#downloads_hotfixes__section_vw4_25x_13c
• For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2026-04 at the following location: https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories

Affected Vendors

Affected Products (9)

Affected Sectors

Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Services and Facilities, Healthcare and Public Health, Information Technology, Water and Wastewater, Transportation Systems, Water and Wastewater