CVE-2025-43875 Johnson Controls Inc. CVE debrief

Who should care

Organizations using Johnson Controls iSTAR access control systems for physical security, particularly in critical infrastructure, commercial buildings, healthcare facilities, and government installations. Security teams responsible for OT/ICS environments and building automation systems should prioritize patching.

Technical summary

CVE-2025-43875 is an authentication-related vulnerability in Johnson Controls iSTAR physical access control systems. With CVSS 3.1 score 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), the vulnerability allows network-based attackers with low privileges to achieve high-impact compromise of affected devices without user interaction. The vulnerability spans five product variants: iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2. Johnson Controls has issued firmware updates and product security advisories JCI-PSA-2025-14 and JCI-PSA-2025-15 to address the issue.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade iSTAR Ultra and iSTAR Ultra SE to firmware version 6.9.7.CU01 or later
• Upgrade iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2 to firmware version 6.9.3 or later
• Review Johnson Controls Product Security Advisories JCI-PSA-2025-14 and JCI-PSA-2025-15 for detailed mitigation guidance
• Implement network segmentation to limit iSTAR device exposure to untrusted networks
• Apply defense-in-depth strategies per CISA ICS recommended practices
• Contact Johnson Controls Global Product Security for additional assistance if needed

Evidence notes

CISA published advisory ICSA-25-345-01 on 2025-12-11 with CVSS 3.1 score 8.8 (HIGH). The vulnerability requires low attack complexity and network access with low privileges, but no user interaction. Successful exploitation grants high impact across confidentiality, integrity, and availability.

Official resources