These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2025-26385 is a critical Johnson Controls Metasys vulnerability that, under certain circumstances, could allow remote SQL execution. CISA’s CSAF republication covers Metasys Application and Data Server (ADS), Extended Application and Data Server (ADX), LCS8500, NAE8500, System Configuration Tool (SCT), and Controller Configuration Tool (CCT). The advisory directs defenders to apply Johnson Controls’ p [truncated]
A critical OS command injection vulnerability in Johnson Controls iSTAR Ultra access control systems allows authenticated attackers to achieve full device compromise. Published December 11, 2025, this HIGH severity flaw (CVSS 8.8) affects multiple product lines across two version branches, with patched firmware now available.
A software signing key for Tyco NVR products is embedded in the firmware of Johnson Controls iSTAR Ultra, Ultra SE, Ultra G2, Ultra G2 SE, and Edge G2 door controllers running version 6.9.2 and prior. This key exposure could allow an attacker with local access to sign malicious firmware or software, potentially leading to unauthorized code execution with high impact on confidentiality, integrity, and avai [truncated]
A physical-access vulnerability in Johnson Controls iSTAR door controllers allows an attacker with direct hardware access to inject keystroke input via USB, effectively bypassing authentication boundaries by treating malicious keyboard input as legitimate local console commands. The GCM board USB ports, normally reserved for ACM (Access Control Module) connections, accept standard HID devices without rest [truncated]
CVE-2025-53698 documents an undocumented RJ11 serial console on Johnson Controls iSTAR GCM (General Controller Module) that provides U-Boot access. On older firmware, physical access to this console grants direct root shell access. Firmware version 6.8.1 and newer disables the console post-boot, but the U-Boot bootloader lacks protection, allowing potential re-enablement. The vulnerability affects iSTAR U [truncated]
Johnson Controls iSTAR Ultra, Ultra SE, Ultra G2, Ultra G2 SE, and Edge G2 door controllers contain a default 'root' password in firmware versions 6.9.2 and prior. An attacker with local access and high privileges can leverage this credential to gain root-level control over affected devices. The vulnerability was disclosed by CISA on August 12, 2025, with an update on December 16, 2025 adding version 6.9. [truncated]
Johnson Controls iSTAR Ultra and Ultra SE door controllers (versions 6.9.2 and prior) contain a firmware verification bypass vulnerability. The devices perform firmware verification on boot, but the verification process does not inspect certain portions of the firmware, allowing those regions to potentially contain malicious code. This vulnerability was published on August 12, 2025, and modified on Decemb [truncated]
A high-severity OS command injection vulnerability in Johnson Controls iSTAR Ultra, Ultra SE, Ultra G2, Ultra G2 SE, and Edge G2 door controllers allows authenticated attackers to escalate privileges to root access on device firmware. The vulnerability affects versions 6.9.2 and prior, with fixes available in version 6.9.3 and newer. CISA published this advisory on August 12, 2025, with an update on Decem [truncated]
CVE-2024-32753 is a medium-severity vulnerability affecting Johnson Controls Illustra Pro Gen 4 cameras. The vulnerability stems from the use of jQuery versions prior to 3.5.0, a third-party component with known security weaknesses. Under certain circumstances, the camera may be susceptible to these known jQuery vulnerabilities. The issue was published on July 9, 2024, with a CVSS 3.1 score of 6.9 (Medium [truncated]
A credential logging vulnerability in Johnson Controls Software House C●CURE 9000 allows Windows credentials to be written to IIS logs under specific conditions. The issue affects version 3.00.2 and is confined to the web server component; non-web service interfaces are not impacted. The vulnerability carries a HIGH severity CVSS 3.1 score of 7.7, reflecting significant confidentiality and integrity impac [truncated]