top of page
perceptive_background_267k.jpg

Johnson Controls iSTAR Ultra

Published:

11 december 2025 om 12:00:00

Alert date:

11 december 2025 om 21:05:27

Source:

cisa.gov

Click to open the original link from this advisory

Johnson Controls iSTAR Ultra door controllers are vulnerable to OS Command Injection (CVE-2025-43873 and CVE-2025-43874) with CVSS scores of 8.7-8.8. The vulnerabilities affect multiple iSTAR Ultra models and versions, allowing attackers to gain full device control and modify firmware. Successful exploitation could impact critical infrastructure across multiple sectors including energy, transportation, and government facilities. Patches are available with version 6.9.7.CU01 for Ultra/Ultra SE/Ultra LT models and version 6.9.3 for G2 models. The vulnerabilities are exploitable remotely with low attack complexity, making them particularly concerning for organizations using these access control systems.

Technical details

OpenPLC_V3 is vulnerable to a cross-site request forgery (CSRF) attack due to the absence of proper CSRF validation. This issue allows an unauthenticated attacker to trick a logged-in administrator into visiting a maliciously crafted link, potentially enabling unauthorized modification of PLC settings or the upload of malicious programs which could lead to significant disruption or damage to connected systems. The vulnerability is exploitable remotely with high attack complexity. CVSS v3 base score of 8.0 and CVSS v4 base score of 7.0.

Mitigation steps:

Update OpenPLC_V3 to pull request #310 or later from the main GitHub repository. Minimize network exposure for all control system devices ensuring they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods such as Virtual Private Networks (VPNs). Perform proper impact analysis and risk assessment prior to deploying defensive measures. Implement recommended cybersecurity strategies for proactive defense of ICS assets. Report suspected malicious activity to CISA.

Affected products:

OpenPLC_V3: Versions prior to pull request #310

Related links:

https://github.com/cisagov/CSAF
https://cwe.mitre.org/data/definitions/352.html
https://www.cve.org/CVERecord?id=CVE-2025-13970
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:H
https://github.com/thiagoralves/OpenPLC_v3
https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.cisa.gov/topics/industrial-control-systems
https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf
https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page