Primary

Context

Johnson Controls iSTAR Products Command Injection Vulnerability Allowing Unauthorized Device Access

Vulnerability

Patched

A command injection vulnerability has been identified in Johnson Controls iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2. This vulnerability, present in versions prior to 6.9.7.CU01 for iSTAR Ultra and iSTAR Ultra SE, and prior to 6.9.3 for iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2, could be exploited under certain circumstances to gain unauthorized access to the affected device.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the device.

Remediation

Users are advised to upgrade iSTAR Ultra and iSTAR Ultra SE to version 6.9.7.CU01 or greater, and iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2 to version 6.9.3 or greater. For detailed mitigation instructions, refer to the Johnson Controls Product Security Advisories JCI-PSA-2025-14 and JCI-PSA-2025-15.

Added: Dec 24, 2025, 5:37 PM

Updated: Dec 24, 2025, 5:37 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

7.5

exploitability

4.9

remediation

7.7

relevance

1.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

7.5

exploitability

4.9

remediation

7.7

relevance

1.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Johnson Controls iSTAR Products Command Injection Vulnerability Allowing Unauthorized Device Access

Vulnerability

Impact

Remediation

Affected Products

Johnson Controls iSTAR Ultra

Johnson Controls iSTAR Ultra G2

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating