PatchSiren cyber security CVE debrief
CVE-2025-26382 Johnson Controls Inc. CVE debrief
CVE-2025-26382 is a Critical vulnerability in Johnson Controls Software House iSTAR Configuration Utility (ICU). CISA’s advisory says the ICU tool can have a buffer overflow issue under certain circumstances, and the affected product range is ICU versions earlier than 6.9.5. Johnson Controls recommends upgrading to ICU 6.9.5 or greater and following the vendor’s product security advisory for mitigation guidance. CISA published the advisory on 2025-04-24 and later issued a minor revision on 2025-05-06 that fixed typos.
- Vendor
- Johnson Controls Inc.
- Product
- ICU
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-24
- Original CVE updated
- 2025-05-06
- Advisory published
- 2025-04-24
- Advisory updated
- 2025-05-06
Who should care
Organizations that use Johnson Controls Software House iSTAR ICU, especially teams responsible for building automation, physical security, OT, and system administration, should prioritize this advisory. Any environment running ICU versions earlier than 6.9.5 should be treated as exposed until verified updated.
Technical summary
The advisory describes a buffer overflow affecting Johnson Controls ICU under certain circumstances. The associated CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, with a score of 9.8, indicating a critical issue with high potential impact on confidentiality, integrity, and availability. The source corpus identifies ICU < 6.9.5 as affected and recommends upgrading to 6.9.5 or later.
Defensive priority
Immediate. This is a critical-severity vulnerability with a 9.8 CVSS score and a straightforward vendor remediation path. If ICU is present in your environment, confirm version status and plan upgrades quickly, especially for systems supporting operational or physical-security functions.
Recommended defensive actions
- Upgrade Johnson Controls ICU to version 6.9.5 or later as soon as feasible.
- Identify all systems running ICU and confirm whether any instance is earlier than 6.9.5.
- Review Johnson Controls Product Security Advisory JCI-PSA-2025-04 for detailed mitigation guidance.
- Apply the CISA-referenced industrial control system defensive practices appropriate to your environment.
- Treat unpatched ICU deployments as high priority until version status is verified and remediation is completed.
Evidence notes
Source evidence is limited to the supplied CISA CSAF advisory and the referenced official links. The corpus states: “Under certain circumstances, the ICU tool can have a buffer overflow issue.” It also identifies affected product scope as “Johnson Controls Inc. ICU: <6.9.5” and recommends upgrading to version 6.9.5 or greater. The advisory was initially published on 2025-04-24 and revised on 2025-05-06 for typo fixes only. No KEV entry is present in the supplied data.
Official resources
-
CVE-2025-26382 CVE record
CVE.org
-
CVE-2025-26382 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in ICSA-25-114-05 on 2025-04-24; revision on 2025-05-06 corrected typos. The supplied corpus does not indicate KEV inclusion or a public exploitation campaign.