Manuals+

Product Security Advisory

Date: August 13, 2025

Advisory IDs: JCI-PSA-2025-10, CVE-2025-53695, CVE-2025-53696, CVE-2025-53697, CVE-2025-53698, CVE-2025-53699, CVE-2025-53700, ICSA-25-224-02

Overview

Johnson Controls has identified a set of previously undiscovered vulnerabilities affecting the following Software House door controller models:

The identified vulnerabilities include:

Note: Johnson Controls made firmware version 6.9.3 available in 2024 to address CVE-2025-53695 and reduce the risk of exploitation for CVE-2025-53696, CVE-2025-53697, and CVE-2025-53700. The remaining two vulnerabilities require direct physical access to the controller.

CVE-2025-53695: OS Command Injection

Impact

This vulnerability impacts Software House iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2 door controllers. Under certain circumstances, the web application may allow an authenticated attacker to gain privileged access ('root' user) to the device firmware.

Affected Versions

Mitigation

Upgrade affected iSTAR models to version 6.9.3 or higher. Johnson Controls strongly recommends disabling the web server on iSTAR after initial installation, following the hardening guide.

CVE-2025-53696: Insufficient Verification of Data Authenticity

Impact

This vulnerability affects iSTAR Ultra and iSTAR Ultra SE door controllers. While these versions perform firmware verification on boot, the verification does not inspect certain firmware portions. This can be exploited via OS command injection (as described in CVE-2025-53695) by an authenticated user.

Affected Versions

Mitigation

Update iSTAR Ultra and iSTAR Ultra SE door controllers to version 6.9.3 or higher. Disabling the web server on iSTAR after initial installation is also strongly recommended, per the hardening guide.

CVE-2025-53697: Use of Default Credentials / OS Command Access

Impact

This vulnerability affects Software House iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2 door controllers. When an attacker can leverage command injection (CVE-2025-53695), it may be possible to utilize a default root password, which can be changed via the command shell.

Affected Versions

Mitigation

Update affected iSTAR models to version 6.9.3 or higher. Disabling the web server on iSTAR after initial installation is also strongly recommended, per the hardening guide.

CVE-2025-53698: Physical Serial Access

Impact

This vulnerability affects Software House iSTAR Ultra and iSTAR Ultra SE door controllers. If an attacker gains physical access, they may be able to access the iSTAR GCM (General Controller Module) serial console, providing access to Uboot.

Affected Versions

Mitigation

Ensure physical access to iSTAR Ultra and iSTAR Ultra SE door controllers is limited to authorized personnel. Install door controllers in locked enclosures with physical tamper switches, adhering to industrial standards and installation/hardening guides.

CVE-2025-53699: Physical USB Access

Impact

This vulnerability affects Software House iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2 door controllers. If an attacker gains physical access, they may be able to access a USB console on the controller board.

Affected Versions

Mitigation

Ensure physical access to iSTAR door controllers is limited to authorized personnel. Install door controllers in locked enclosures with physical tamper switches, adhering to industrial standards and installation/hardening guides.

CVE-2025-53700: Firmware Signing Key Access

Impact

This vulnerability affects Software House iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2 door controllers (versions 6.9.2.CU02 and prior). By exploiting OS command injection (CVE-2025-53695), an authenticated user may access a firmware signing key used with other products.

Affected Versions

Mitigation

Update affected iSTAR models to version 6.9.3 or higher. Disabling the web server on iSTAR after initial installation is also strongly recommended, per the hardening guide.

Resources and Additional Guidance

For more information and detailed guidance, please refer to the following resources:

In addition to the guidance provided in this advisory, Johnson Controls recommends applying the guidance within the Johnson Controls Hardening Guide to minimize security risk. Visit the Johnson Controls Trust Center Cybersecurity website for the latest hardening guidelines and best practices.

PDF preview unavailable. Download the PDF instead.

JCI-PSA-2025-10 Microsoft Word for Microsoft 365

Related Documents

Preview Johnson Controls Facility Explorer Vulnerability Advisory - CVE-2025-43867
Johnson Controls has confirmed a vulnerability impacting Facility Explorer software for FX80 and FX90 products. The advisory details affected versions, potential impact on configuration files, and mitigation steps including software updates and patches.
Preview Smart Equipment Controls (SEC) Quick Start Guide for Unit Controllers
This quick start guide provides essential instructions for configuring Johnson Controls Smart Equipment Controls (SEC) unit controllers, covering initial setup, LCD navigation, commissioning menus, and system configuration backup procedures for models like SE-SPU1001-1 and SE-ECO1001-1.
Preview Johnson Controls Smart Equipment Controls Quick Start Guide for HVAC Systems
A comprehensive quick start guide for Johnson Controls Smart Equipment Controls, detailing Unit Control Board (UCB) LCD navigation, system configuration, firmware updates, and troubleshooting for HVAC and Rooftop Unit (RTU) applications.
Preview Smart Equipment Controls Quick Start Guide - Johnson Controls UCB Firmware 3.3.1.186
This Quick Start Guide provides essential instructions for configuring and updating Johnson Controls Smart Equipment™ Unit Control Boards (UCB) with firmware version 3.3.1.186. Learn how to navigate the local LCD, perform system configuration backups, update firmware, and understand key menu options for various HVAC applications.
Preview Smart Equipment Controls Quick Start Guide for UCB HVAC Systems
Comprehensive quick start guide for Johnson Controls Smart Equipment Unit Control Board (UCB) HVAC systems. Learn setup, navigation, firmware updates, configuration backup, commissioning, and troubleshooting for Constant Volume, VAV, Economizer, and Heat Pump applications. Includes detailed menu structures and operational parameters.
Preview Johnson Controls Smart Equipment Controls (SEC) Product Bulletin | HVAC DDC Solutions
Explore Johnson Controls Smart Equipment Controls (SEC) for advanced HVAC DDC solutions. This product bulletin details features, benefits, and technical specifications for RTU and SPU control, including FDD, economizer, and communication capabilities for enhanced comfort and energy efficiency.
Preview Johnson Controls Smart Equipment Controls (SEC) Product Bulletin for HVAC Systems
Comprehensive product bulletin detailing Johnson Controls Smart Equipment Controls (SEC) for HVAC systems, including features, benefits, technical specifications, and compatibility with Metasys® software for enhanced building management.
Preview Simplicity SE (SMART Equipment) Controls Technical Guide for HVAC Systems
Explore the Simplicity SE (SMART Equipment) Controls Technical Guide, detailing advanced DDC controllers for HVAC rooftop units. Learn about features like Fault Detection Diagnostics (FDD), economizer control, and seamless integration with Building Management Systems (BMS) via BACnet, Modbus, and N2 protocols. This guide covers product specifications, operational modes, and accessories for optimized energy efficiency and occupant comfort in light commercial applications.