Primary

Context

Johnson Controls iSTAR Products Improper OS Command Element Neutralization Vulnerability

Vulnerability

Patched

A vulnerability exists in Johnson Controls iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2, all versions prior to the latest updates. This vulnerability involves improper neutralization of special elements used in an operating system command, which under certain circumstances could be exploited to gain unauthorized access to the device.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the affected device.

Remediation

Users are advised to upgrade iSTAR Ultra and iSTAR Ultra SE to version 6.9.7.CU01 or greater, and to upgrade iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2 to version 6.9.3 or greater. For detailed mitigation instructions, refer to the Johnson Controls Product Security Advisories JCI-PSA-2025-14 and JCI-PSA-2025-15.

Added: Dec 24, 2025, 5:36 PM

Updated: Dec 24, 2025, 5:36 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

7.5

exploitability

4.9

remediation

7.7

relevance

1.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

7.5

exploitability

4.9

remediation

7.7

relevance

1.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Johnson Controls iSTAR Products Improper OS Command Element Neutralization Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Johnson Controls iSTAR Ultra

Johnson Controls iSTAR Ultra G2

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating