PatchSiren cyber security CVE debrief
CVE-2025-43876 Johnson Controls Inc. CVE debrief
A high-severity vulnerability in Johnson Controls iSTAR access control systems could allow authenticated attackers to gain unauthorized device access. CISA published advisory ICSA-25-345-01 on December 11, 2025, with vendor fixes available.
- Vendor
- Johnson Controls Inc.
- Product
- iSTAR Ultra
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-11
- Original CVE updated
- 2025-12-11
- Advisory published
- 2025-12-11
- Advisory updated
- 2025-12-11
Who should care
Organizations using Johnson Controls iSTAR access control systems for physical security and building automation, particularly in critical infrastructure, commercial facilities, and government installations. Security teams responsible for OT/ICS environments and facility managers overseeing access control infrastructure should prioritize patching.
Technical summary
CVE-2025-43876 affects multiple Johnson Controls iSTAR access control products including iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2. The vulnerability has a CVSS 3.1 score of 8.8 (HIGH severity) with a vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This indicates a network-accessible vulnerability with low attack complexity that requires low privileges but no user interaction, potentially resulting in high impact to confidentiality, integrity, and availability. Successful exploitation could result in unauthorized access to affected devices. Johnson Controls has released patched versions: iSTAR Ultra and iSTAR Ultra SE should be upgraded to 6.9.7.CU01 or greater, while iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2 should be upgraded to 6.9.3 or greater.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade iSTAR Ultra and iSTAR Ultra SE to version 6.9.7.CU01 or greater
- Upgrade iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2 to version 6.9.3 or greater
- Review Johnson Controls Product Security Advisories JCI-PSA-2025-14 and JCI-PSA-2025-15 for detailed mitigation instructions
- Implement network segmentation for building automation systems
- Apply CISA ICS recommended practices for defense-in-depth
- Contact Johnson Controls Global Product Security for additional guidance
Evidence notes
CISA advisory ICSA-25-345-01 provides the authoritative disclosure. CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H indicates network-accessible attack vector with low attack complexity, requiring low privileges but no user interaction, with high impact across confidentiality, integrity, and availability.
Official resources
-
CVE-2025-43876 CVE record
CVE.org
-
CVE-2025-43876 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published advisory ICSA-25-345-01 on December 11, 2025, disclosing this vulnerability in Johnson Controls iSTAR access control systems. The advisory was issued through CISA's CSAF feed for industrial control systems.