PatchSiren cyber security CVE debrief
CVE-2025-53695 Johnson Controls CVE debrief
A high-severity OS command injection vulnerability in Johnson Controls iSTAR Ultra, Ultra SE, Ultra G2, Ultra G2 SE, and Edge G2 door controllers allows authenticated attackers to escalate privileges to root access on device firmware. The vulnerability affects versions 6.9.2 and prior, with fixes available in version 6.9.3 and newer. CISA published this advisory on August 12, 2025, with an update on December 16, 2025 adding version 6.9.8 as an additional mitigation for physical access attack scenarios.
- Vendor
- Johnson Controls
- Product
- iSTAR Ultra
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2025-12-16
- Advisory published
- 2025-08-12
- Advisory updated
- 2025-12-16
Who should care
Organizations using Johnson Controls iSTAR Ultra, Ultra SE, Ultra G2, Ultra G2 SE, or Edge G2 door controllers for physical access control and security management. This includes facilities management teams, security operations centers, critical infrastructure operators, and organizations in sectors such as healthcare, education, government, and commercial real estate that rely on these controllers for building security.
Technical summary
CVE-2025-53695 is an OS command injection vulnerability in the web application of Johnson Controls iSTAR Ultra, Ultra SE, Ultra G2, Ultra G2 SE, and Edge G2 door controllers running firmware version 6.9.2 and prior. An authenticated attacker can exploit this flaw to execute arbitrary operating system commands, resulting in privilege escalation to root-level access on the device firmware. The CVSS 3.1 score of 8.8 (High) reflects network attack vector, low attack complexity, low privileges required, and high impact to confidentiality, integrity, and availability. Remediation requires firmware upgrade to version 6.9.3 or newer; version 6.9.8 is recommended for enhanced protection against physical access attacks.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade affected iSTAR controllers to firmware version 6.9.3 or newer to remediate the OS command injection vulnerability
- For iSTAR Ultra and Ultra SE door controllers, upgrade to version 6.9.8 to protect against physical access attack scenarios
- Disable Pro Mode on iSTAR Ultra and iSTAR Ultra door controllers; use Ultra Mode instead
- Place network restrictions around iSTAR controllers regardless of model or firmware version per Dragos recommendations
- Ensure iSTAR Ultra control units are installed in restricted access, protected areas per hardware installation manual requirements
- Consider upgrading to newer Johnson Controls control units as iSTAR Ultra approaches end-of-service
- Review Johnson Controls Product Security Advisory JCI-PSA-2025-10 for detailed mitigation instructions
- Contact Johnson Controls Trust Center for assistance and additional information
Evidence notes
The vulnerability was disclosed via CISA ICS Advisory ICSA-25-224-02 on August 12, 2025. Johnson Controls made firmware version 6.9.3 available in 2024 to address this vulnerability and reduce exploitation risk for related CVEs. The iSTAR Ultra is an older device with planned end-of-service within one year of publication; Johnson Controls recommends upgrading to newer control units.
Official resources
-
CVE-2025-53695 CVE record
CVE.org
-
CVE-2025-53695 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
The vulnerability was disclosed via CISA ICS Advisory ICSA-25-224-02 on August 12, 2025. Johnson Controls made firmware version 6.9.3 available in 2024 to address this vulnerability and reduce exploitation risk for related CVEs. The iSTAR G