PatchSiren cyber security CVE debrief
CVE-2025-43873 Johnson Controls CVE debrief
A critical OS command injection vulnerability in Johnson Controls iSTAR Ultra access control systems allows authenticated attackers to achieve full device compromise. Published December 11, 2025, this HIGH severity flaw (CVSS 8.8) affects multiple product lines across two version branches, with patched firmware now available.
- Vendor
- Johnson Controls
- Product
- iSTAR Ultra
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-11
- Original CVE updated
- 2025-12-11
- Advisory published
- 2025-12-11
- Advisory updated
- 2025-12-11
Who should care
Organizations operating Johnson Controls iSTAR Ultra access control systems in commercial buildings, critical infrastructure facilities, healthcare environments, and government installations should prioritize patching. Security teams managing building automation systems and physical security infrastructure must assess exposure and implement firmware updates. Managed security service providers supporting facilities with iSTAR deployments should coordinate with clients on remediation timelines.
Technical summary
The vulnerability exists in the iSTAR Ultra product family, specifically affecting: iSTAR Ultra, Ultra SE, and Ultra LT versions prior to 6.9.7.CU01; and iSTAR Ultra G2, Ultra G2 SE, and Edge G2 versions prior to 6.9.3. The OS command injection flaw can be triggered under certain circumstances by an attacker with low privileges, requiring no user interaction. Successful exploitation grants complete control over the affected device. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates network attack vector, low attack complexity, low privileges required, no user interaction, and high impact across confidentiality, integrity, and availability. Johnson Controls has released firmware updates addressing both affected version branches and published complementary security advisories JCI-PSA-2025-11 and JCI-PSA-2025-13 with additional mitigation guidance.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade iSTAR Ultra, Ultra SE, Ultra LT to version 6.9.7.CU01 or later
- Upgrade iSTAR Ultra G2, Ultra G2 SE, Edge G2 to version 6.9.3 or later
- Review Johnson Controls Product Security Advisories JCI-PSA-2025-11 and JCI-PSA-2025-13 for detailed mitigation guidance
- Apply CISA ICS recommended practices for network segmentation and defense-in-depth
- Monitor for anomalous device behavior and report suspected incidents to CISA
Evidence notes
CVE published and modified 2025-12-11T07:00:00.000Z per official record. CISA ICS advisory ICSA-25-345-02 issued same date. No KEV listing at time of publication.
Official resources
-
CVE-2025-43873 CVE record
CVE.org
-
CVE-2025-43873 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-12-11