PatchSiren cyber security CVE debrief
CVE-2025-53698 Johnson Controls CVE debrief
CVE-2025-53698 documents an undocumented RJ11 serial console on Johnson Controls iSTAR GCM (General Controller Module) that provides U-Boot access. On older firmware, physical access to this console grants direct root shell access. Firmware version 6.8.1 and newer disables the console post-boot, but the U-Boot bootloader lacks protection, allowing potential re-enablement. The vulnerability affects iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2. CISA published this advisory on August 12, 2025, with an update on December 16, 2025 adding firmware 6.9.8 as a mitigation. CVSS 3.1 score is 6.8 (Medium), reflecting physical access requirements but high impact if exploited.
- Vendor
- Johnson Controls
- Product
- iSTAR Ultra
- CVSS
- MEDIUM 6.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2025-12-16
- Advisory published
- 2025-08-12
- Advisory updated
- 2025-12-16
Who should care
Organizations deploying Johnson Controls iSTAR physical access control systems, particularly in environments where device enclosures may be physically accessible to unauthorized personnel. Critical infrastructure operators, facility security managers, and OT security teams responsible for access control system hardening should prioritize assessment and remediation.
Technical summary
The iSTAR GCM contains an undocumented RJ11 serial console providing U-Boot access. Pre-6.8.1 firmware allows immediate root shell access via physical connection. Post-6.8.1, the console disables after boot but remains re-enableable due to unprotected U-Boot. Attack vector requires physical device access. Firmware 6.9.8 provides protection. Hardware end-of-service imminent for iSTAR Ultra.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade iSTAR Ultra and Ultra SE door controllers to firmware version 6.9.8 or later to protect against physical access attacks
- Install all control units in restricted access, protected areas per the hardware installation manual to reduce physical tampering risk
- Disable Pro Mode on iSTAR Ultra and iSTAR Ultra door controllers; use Ultra Mode instead
- Consider upgrading to newer Johnson Controls control units as iSTAR Ultra approaches end-of-service
- Implement network segmentation and access controls around iSTAR controllers regardless of model or firmware version
- Review Johnson Controls Product Security Advisory JCI-PSA-2025-10 for detailed mitigation guidance
- Contact Johnson Controls Trust Center for additional assistance with remediation planning
Evidence notes
CISA ICS advisory ICSA-25-224-02 (initially published 2025-08-12, updated 2025-12-16 as Update A) documents this vulnerability. The advisory cites Johnson Controls Product Security Advisory JCI-PSA-2025-10 for detailed mitigation instructions. Firmware version 6.9.8 is identified as a protective update. The iSTAR Ultra has a planned end-of-service date within one year of publication.
Official resources
-
CVE-2025-53698 CVE record
CVE.org
-
CVE-2025-53698 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12