top of page
perceptive_background_267k.jpg

Johnson Controls iSTAR

Published:

11 December 2025 at 12:00:00

Alert date:

11 December 2025 at 21:05:27

Source:

cisa.gov

Click to open the original link from this advisory

CISA advisory for Johnson Controls iSTAR access control systems containing two command injection vulnerabilities (CVE-2025-43875 and CVE-2025-43876) with CVSS scores of 8.7-8.8. Both vulnerabilities involve improper neutralization of special elements in OS commands, allowing remote attackers with low privileges to gain unauthorized access. Affects multiple iSTAR product lines including Ultra, Ultra SE, Ultra G2, Ultra G2 SE, and Edge G2 versions. Exploitation could result in complete device compromise with high impact to confidentiality, integrity, and availability. Johnson Controls has released patches and recommends immediate upgrades to version 6.9.7.CU01 or 6.9.3 depending on product line.

Technical details

OpenPLC_V3 is vulnerable to a cross-site request forgery (CSRF) attack due to the absence of proper CSRF validation. This issue allows an unauthenticated attacker to trick a logged-in administrator into visiting a maliciously crafted link, potentially enabling unauthorized modification of PLC settings or the upload of malicious programs which could lead to significant disruption or damage to connected systems. The vulnerability is exploitable remotely with high attack complexity. CVSS v3 base score of 8.0 and CVSS v4 base score of 7.0.

Mitigation steps:

Update OpenPLC_V3 to pull request #310 or later from the main GitHub repository. Minimize network exposure for all control system devices ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods such as Virtual Private Networks (VPNs). Perform proper impact analysis and risk assessment prior to deploying defensive measures. Implement recommended cybersecurity strategies for proactive defense of ICS assets. Report suspected malicious activity to CISA.

Affected products:

OpenPLC_V3: Versions prior to pull request #310

Related links:

https://github.com/cisagov/CSAF
https://cwe.mitre.org/data/definitions/352.html
https://www.cve.org/CVERecord?id=CVE-2025-13970
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:H
https://github.com/thiagoralves/OpenPLC_v3
https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.cisa.gov/topics/industrial-control-systems
https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf
https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page