PatchSiren cyber security CVE debrief
CVE-2025-53697 Johnson Controls CVE debrief
Johnson Controls iSTAR Ultra, Ultra SE, Ultra G2, Ultra G2 SE, and Edge G2 door controllers contain a default 'root' password in firmware versions 6.9.2 and prior. An attacker with local access and high privileges can leverage this credential to gain root-level control over affected devices. The vulnerability was disclosed by CISA on August 12, 2025, with an update on December 16, 2025 adding version 6.9.8 as an additional mitigation. Firmware 6.9.3, released in 2024, reduces risk for iSTAR Ultra and Ultra SE, and fully fixes the vulnerability for iSTAR Ultra G2, Ultra G2 SE, and Edge G2 models. Johnson Controls recommends upgrading iSTAR Ultra and Ultra SE to version 6.9.8 to protect against physical access attacks, and notes that iSTAR Ultra is approaching end-of-service with replacement recommended.
- Vendor
- Johnson Controls
- Product
- iSTAR Ultra
- CVSS
- MEDIUM 6.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2025-12-16
- Advisory published
- 2025-08-12
- Advisory updated
- 2025-12-16
Who should care
Organizations operating Johnson Controls iSTAR physical access control systems, particularly in critical infrastructure, government facilities, healthcare, and commercial real estate. Security teams responsible for OT/ICS asset management, facility managers, and physical security administrators should prioritize firmware updates and network segmentation controls.
Technical summary
The iSTAR door controller firmware versions 6.9.2 and prior ship with a default root password that can be changed through the command shell. This represents a classic default credential vulnerability (CWE-798) in embedded industrial control systems. The attack vector requires local access (AV:L) and high privileges (PR:H), limiting exploitability to attackers with physical access or existing administrative control. The vulnerability enables complete confidentiality, integrity, and availability compromise (C:H/I:H/A:H) of the device. Remediation varies by product generation: G2 models receive a complete fix in 6.9.3, while legacy Ultra/Ultra SE models receive risk reduction in 6.9.3 and enhanced physical security mitigations in 6.9.8. The December 2025 update reflects continued vendor support for mitigating physical access attack vectors even on approaching end-of-life hardware.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade iSTAR Ultra and Ultra SE to firmware version 6.9.8 to mitigate physical access attack scenarios
- Upgrade iSTAR Ultra G2, Ultra G2 SE, and Edge G2 to firmware version 6.9.3 or newer to fully remediate the vulnerability
- Disable Pro Mode on iSTAR Ultra controllers and use Ultra Mode instead
- Ensure all iSTAR control units are installed in restricted access, protected areas per hardware installation manual
- Implement network segmentation and access controls around iSTAR controllers per Dragos recommendations
- Contact Johnson Controls Trust Center for assistance with upgrade planning and migration to newer control units
- Review Johnson Controls Product Security Advisory JCI-PSA-2025-10 for detailed mitigation instructions
Evidence notes
CISA advisory ICSA-25-224-02 (Update A) published 2025-08-12, modified 2025-12-16. CVSS 3.1 vector AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. Affected versions: <=6.9.2.CU02 across five product variants. Firmware 6.9.3 released 2024 as partial fix for Ultra/Ultra SE, complete fix for G2 models. Version 6.9.8 added December 2025 as enhanced mitigation for physical access scenarios.
Official resources
-
CVE-2025-53697 CVE record
CVE.org
-
CVE-2025-53697 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12