PatchSiren cyber security CVE debrief
CVE-2025-26386 Johnson Controls Inc. CVE debrief
CVE-2025-26386 is a Johnson Controls iSTAR Configuration Utility (ICU) tool vulnerability with a CVSS 3.1 score of 7.1 (High). According to the CISA CSAF advisory, successful exploitation under certain circumstances could cause failure in the operating system of the machine hosting the ICU tool. Johnson Controls recommends updating the ICU tool to version 6.9.8.
- Vendor
- Johnson Controls Inc.
- Product
- iSTAR Configuration Utility (ICU) tool
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-22
- Original CVE updated
- 2026-01-22
- Advisory published
- 2026-01-22
- Advisory updated
- 2026-01-22
Who should care
Organizations that use Johnson Controls iSTAR Configuration Utility (ICU) tool, especially engineering, facilities, and OT teams responsible for managing systems that host the utility. IT teams supporting the host operating system should also prioritize this advisory because the impact is on the machine running ICU.
Technical summary
The official advisory describes an availability-focused issue affecting the ICU tool. The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H, indicating network-accessible conditions, low attack complexity, no privileges required, and user interaction required. The disclosed impact is that a successful exploitation could lead to failure in the host operating system. Johnson Controls' stated remediation is to update the ICU tool to version 6.9.8.
Defensive priority
High. The combination of a High CVSS score, low complexity, no privileges required, and host OS failure potential makes this a near-term patch priority for any environment using the ICU tool.
Recommended defensive actions
- Update Johnson Controls iSTAR Configuration Utility (ICU) tool to version 6.9.8 as recommended by the vendor.
- Review the Johnson Controls Product Security Advisory JCI-PSA-2025-08 v1 for any product-specific mitigation steps.
- Identify all machines running ICU tool and prioritize them for verification, patching, and post-update validation.
- Because the CVSS vector includes user interaction, reinforce user awareness around unexpected prompts or actions during ICU use until remediation is complete.
- Confirm backup and recovery readiness for hosts that depend on the ICU tool so operational disruption can be restored quickly if needed.
Evidence notes
Source evidence is limited to the CISA CSAF advisory and linked official references. The advisory text states: 'Under certain circumstances, a successful exploitation of this vulnerability could result in failure within the operating system of the machine hosting the ICU tool.' The advisory also lists the vendor remediation to update ICU tool to version 6.9.8 and provides CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H. The supplied publishedAt/modifiedAt timestamps are both 2026-01-22T07:00:00.000Z and should be treated as the public disclosure timing in this corpus.
Official resources
-
CVE-2025-26386 CVE record
CVE.org
-
CVE-2025-26386 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the CSAF advisory and source record on 2026-01-22T07:00:00.000Z; that is the public disclosure date used here.