ICSA-25-345-01
·
Published 2025-12-11
·
View on CISA ICS-CERT ↗
Johnson Controls iSTAR
CVSS 8.8
HIGH
Risk Summary
Successful exploitation of these vulnerabilities could result in unauthorized access to the device.
CVEs (2)
Remediations
- Johnson Controls recommends users complete the following actions to address these issues:
- Upgrade iSTAR Ultra, and iSTAR Ultra SE to version 6.9.7.CU01 or greater.
- Upgrade iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2 to version 6.9.3 or greater.
- For detailed mitigation instructions, see the Johnson Controls Product Security Advisories JCI-PSA-2025-14 and JCI-PSA-2025-15. Johnson Controls recommends implementing measures to minimize risks to all building automation systems.
- Further ICS security notices and product security guidance are located at the Johnson Controls product security website.
- Contact Johnson Controls Global Product Security.
Affected Vendors
Johnson Controls Inc.
Affected Products (5)
Johnson Controls Inc.
·
iSTAR Ultra
<6.9.7.CU01
Johnson Controls Inc.
·
iSTAR Ultra SE
<6.9.7.CU01
Johnson Controls Inc.
·
iSTAR Ultra G2
<6.9.3
Johnson Controls Inc.
·
iSTAR Ultra G2 SE
<6.9.3
Johnson Controls Inc.
·
iSTAR Edge G2
<6.9.3
Affected Sectors
Commercial Facilities, Critical Manufacturing, Energy, Government Services and Facilities, Transportation Systems
Get alerted to advisories like this
OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.
Start free trial Learn more