PatchSiren cyber security CVE debrief

CVE-2025-53699 Johnson Controls CVE debrief

A physical-access vulnerability in Johnson Controls iSTAR door controllers allows an attacker with direct hardware access to inject keystroke input via USB, effectively bypassing authentication boundaries by treating malicious keyboard input as legitimate local console commands. The GCM board USB ports, normally reserved for ACM (Access Control Module) connections, accept standard HID devices without restriction. This enables an attacker to execute arbitrary system commands at the console level, potentially compromising door control functions, badge reader data, and relay operations. The attack requires no authentication and no specialized hardware beyond a standard USB keyboard.

Vendor: Johnson Controls
Product: iSTAR Ultra
CVSS: MEDIUM 6.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2025-08-12
Original CVE updated: 2025-12-16
Advisory published: 2025-08-12
Advisory updated: 2025-12-16

Who should care

Physical security teams, facilities management, critical infrastructure operators, and OT security practitioners deploying Johnson Controls access control systems. Organizations with iSTAR controllers in publicly accessible or semi-secured locations (lobbies, parking garages, remote sites) face elevated risk. Compliance officers in regulated sectors (government, healthcare, financial services) should evaluate this vulnerability against physical access control requirements.

Technical summary

The iSTAR GCM board exposes USB ports that accept HID-class devices without authentication or device validation. When a USB keyboard is connected, the system kernel passes keystrokes directly to the active console session with root-equivalent privileges. This bypasses all logical access controls because the input path is treated as trusted local operator interaction. The ACM board interface shares this USB bus, meaning the attack surface is inherent to the hardware design and cannot be fully eliminated without physical port disabling or hardware replacement. Firmware 6.9.8 for Ultra/Ultra SE models introduces unspecified input validation or port restrictions that mitigate the attack vector, though CISA and Johnson Controls have not disclosed technical specifics of the control mechanism. G2-series hardware lacks this mitigation entirely.

Defensive priority

HIGH

Recommended defensive actions

Upgrade iSTAR Ultra and iSTAR Ultra SE door controllers to firmware version 6.9.8 or later to mitigate USB-based console injection attacks
Disable Pro Mode on iSTAR Ultra controllers and operate exclusively in Ultra Mode to reduce attack surface
Install all iSTAR control units in restricted-access, protected areas per manufacturer hardware installation requirements to prevent physical tampering
Implement network segmentation and access controls around iSTAR controllers regardless of model or firmware version per Dragos recommendations
For iSTAR Ultra G2, Ultra G2 SE, and Edge G2 models, plan migration to newer control unit hardware as no firmware patch is available and affected versions have no fixed release
Review Johnson Controls Product Security Advisory JCI-PSA-2025-10 for detailed mitigation instructions specific to your deployment
Contact Johnson Controls Trust Center for technical assistance with remediation planning and hardware migration
Apply CISA ICS recommended practices for defense-in-depth strategies in physical security system environments

Evidence notes

CISA published ICSA-25-224-02 on 2025-08-12 with initial remediation guidance. Update A was issued on 2025-12-16, adding firmware version 6.9.8 as a validated mitigation for iSTAR Ultra and Ultra SE models. The advisory confirms iSTAR Ultra G2, Ultra G2 SE, and Edge G2 remain vulnerable across all firmware versions with no patch available. Johnson Controls has disclosed planned end-of-service for iSTAR Ultra within one year of publication, recommending hardware migration.

Official resources

2025-08-12