CVE-2025-61736 Johnson Controls Inc. CVE debrief

Who should care

OT/physical security teams, Software House/C•CURE integrators, and administrators running iSTAR eX, iSTAR Edge, iSTAR Ultra LT, iSTAR Ultra, or iSTAR Ultra SE should review this advisory, especially if they rely on default certificates or TLS 1.2 connections.

Technical summary

The advisory describes a certificate-expiration edge case: an iSTAR using the default certificate to connect to a C•CURE Server may be unable to reconnect once that certificate expires. Johnson Controls lists host-based certificates over TLS 1.2 as the quickest mitigation without a software or firmware upgrade, TLS 1.3 migration as a phased option for supported clusters, and G2 hardware replacement for legacy panels. The vendor notes that TLS 1.3 is not supported on iSTAR eX, iSTAR Edge, and iSTAR Ultra LT panels.

Defensive priority

Medium

Recommended defensive actions

• Inventory affected iSTAR panels and identify any systems still using default certificates for C•CURE Server connectivity.
• Coordinate with Software House integrators to select the least disruptive mitigation path and schedule any required maintenance window.
• If you remain on TLS 1.2, deploy host-based certificates to all affected panels as the fastest vendor-recommended fix; expect brief system downtime.
• If your environment supports it, plan a phased TLS 1.3 migration per cluster, using firmware 6.9.0 or higher and C•CURE 9000 v2.90 SP3 or higher.
• For legacy deployments, evaluate migration to new G2 hardware and use vendor documentation and support guidance to confirm product-specific constraints.

Evidence notes

Source evidence is limited to the CISA CSAF advisory and the vendor remediation text embedded in the supplied corpus. The CVSS vector is AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, which aligns with an availability-only issue affecting adjacent connectivity. The advisory was published and modified on 2025-12-04 UTC.

Official resources