PatchSiren cyber security CVE debrief
CVE-2024-32752 Johnson Controls Inc. CVE debrief
A critical vulnerability in Johnson Controls Software House iSTAR door controllers allows unauthenticated communication between the door controllers and the iSTAR Configuration Utility (ICU). The vulnerability, published June 6, 2024 and updated July 29, 2025, affects iSTAR Pro, Edge, and eX door controllers running any firmware version, as well as iSTAR Ultra and Ultra LT door controllers running firmware prior to version 6.6.B. The CVSS 3.1 score of 9.1 reflects network accessibility with low attack complexity, no required privileges or user interaction, and high impact to integrity and availability. The root cause is the absence of authentication support in the communication protocol between affected door controllers and the ICU tool, enabling unauthorized configuration changes. The July 2025 update expanded the scope to include additional product lines.
- Vendor
- Johnson Controls Inc.
- Product
- Software House iStar Pro, Edge and eX door controllers
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-06-06
- Original CVE updated
- 2025-07-29
- Advisory published
- 2024-06-06
- Advisory updated
- 2025-07-29
Who should care
Organizations deploying Johnson Controls Software House iSTAR door controllers for physical access control, particularly in critical infrastructure, healthcare, education, and commercial facilities. Security teams responsible for OT/ICS networks, physical security administrators, and facilities management personnel should prioritize assessment and remediation.
Technical summary
The vulnerability exists in the communication protocol between iSTAR door controllers and the iSTAR Configuration Utility (ICU). Affected controllers running firmware prior to 6.6.B (or all firmware versions for Pro/Edge/eX models) do not implement authentication for management communications. This allows any network-accessible actor to interact with the ICU and modify door controller configurations without credentials. The attack vector is network-based with low complexity, requiring no privileges or user interaction. Impact is rated high for integrity and availability, with no confidentiality impact per CVSS 3.1 scoring. The July 2025 advisory update indicates ongoing vendor assessment and expanded product scope.
Defensive priority
CRITICAL
Recommended defensive actions
- Replace iSTAR Pro, Edge, and eX door controllers with current generation iSTAR Ultra G2 or Edge G2 controllers that support proper authentication
- Upgrade iSTAR Ultra and Ultra LT door controllers to firmware version 6.6.B or later
- Implement network segmentation to isolate door controller management traffic from untrusted networks
- Monitor for unauthorized configuration changes to door controller settings
- Review Johnson Controls Product Security Advisory JCI-PSA-2024-06-v2 for detailed mitigation instructions
- Apply CISA ICS recommended practices for defense-in-depth security
- Report suspected malicious activity to CISA for tracking and correlation
Evidence notes
The vulnerability was initially disclosed in CISA advisory ICSA-24-158-04 on June 6, 2024, with Update A published July 29, 2025 expanding affected products to include iSTAR Ultra and Ultra LT door controllers. The source CSAF document confirms three affected product IDs: CSAFPID-0001 (iSTAR Pro/Edge/eX, all versions), CSAFPID-0002 (iSTAR Ultra/Ultra LT, firmware < 6.6.B), and CSAFPID-0003 (ICU Tool, all versions).
Official resources
-
CVE-2024-32752 CVE record
CVE.org
-
CVE-2024-32752 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-06-06