PatchSiren cyber security CVE debrief
CVE-2025-53700 Johnson Controls CVE debrief
A software signing key for Tyco NVR products is embedded in the firmware of Johnson Controls iSTAR Ultra, Ultra SE, Ultra G2, Ultra G2 SE, and Edge G2 door controllers running version 6.9.2 and prior. This key exposure could allow an attacker with local access to sign malicious firmware or software, potentially leading to unauthorized code execution with high impact on confidentiality, integrity, and availability. The vulnerability carries a CVSS 3.1 score of 8.8 (HIGH). Firmware version 6.9.3, released in 2024, reduces risk for iSTAR Ultra and Ultra SE, and fully fixes the issue for iSTAR Ultra G2, Ultra G2 SE, and Edge G2. CISA published this advisory on August 12, 2025, with an update on December 16, 2025 adding version 6.9.8 as an additional mitigation for physical access scenarios.
- Vendor
- Johnson Controls
- Product
- iSTAR Ultra
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-12
- Original CVE updated
- 2025-12-16
- Advisory published
- 2025-08-12
- Advisory updated
- 2025-12-16
Who should care
Organizations using Johnson Controls iSTAR door controllers for physical access control, particularly in critical infrastructure, government facilities, healthcare, and commercial buildings where door controller integrity is essential for security operations.
Technical summary
The firmware of affected iSTAR door controllers contains an embedded software signing key intended for Tyco NVR products. This key exposure is present in versions 6.9.2 and prior. An attacker with local access could potentially use this key to sign and install unauthorized firmware. The vulnerability requires local access (AV:L) with low attack complexity (AC:L) and low privileges (PR:L), but has a changed scope (S:C) with high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). iSTAR Ultra and Ultra SE receive risk reduction in 6.9.3 and additional physical access protection in 6.9.8. iSTAR Ultra G2, Ultra G2 SE, and Edge G2 are fully fixed in 6.9.3.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade iSTAR Ultra and Ultra SE to firmware version 6.9.8 to protect against physical access attacks
- Upgrade iSTAR Ultra G2, Ultra G2 SE, and Edge G2 to firmware version 6.9.3 or newer to fix the vulnerability
- Disable Pro Mode on iSTAR Ultra and iSTAR Ultra door controllers; use Ultra Mode instead
- Place iSTAR controllers in restricted access, protected areas per hardware installation manual to reduce physical tampering risk
- Implement network segmentation and access controls around iSTAR controllers regardless of firmware version
- Consider upgrading from iSTAR Ultra to newer control units as this device has planned end of service within one year
- Review Johnson Controls Product Security Advisory JCI-PSA-2025-10 for detailed mitigation instructions
- Contact Johnson Controls Trust Center for assistance and additional information
Evidence notes
The vulnerability description and remediation details are drawn from CISA CSAF advisory ICSA-25-224-02. The CVSS vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H is sourced from the advisory. Firmware version 6.9.3 was made available in 2024 per the remediation section. Version 6.9.8 was added in Update A (December 16, 2025) for physical access protection.
Official resources
-
CVE-2025-53700 CVE record
CVE.org
-
CVE-2025-53700 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published advisory ICSA-25-224-02 on August 12, 2025. Johnson Controls released firmware 6.9.3 in 2024 to address this and related vulnerabilities. Update A on December 16, 2025 added firmware 6.9.8 as a recommended upgrade for iSTAR/2