Buffer Overflow Vulnerability in iSTAR Configuration Utility by Johnson Controls
CVE-2025-26382

9.3CRITICAL

Key Information:

Vendor: Johnson Controls
Status: Istar Configuration Utility (icu)
Vendor: CVE Published:; 24 April 2025

🔔 Create Johnson Controls Vulnerability Alert

What is CVE-2025-26382?

The iSTAR Configuration Utility from Johnson Controls is susceptible to a buffer overflow vulnerability under specific conditions, potentially allowing attackers to execute arbitrary code or disrupt the system's performance. This vulnerability poses a serious risk, particularly in environments where the integrity and availability of systems are critical.

Affected Version(s)

iSTAR Configuration Utility (ICU) 0

References

https://www.johnsoncontrols.com/trust-center/cybersecurit...

https://www.cisa.gov/news-events/ics-advisories/icsa-25-1...

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2025
Vulnerability Reserved
Feb 7, 2025

Credit

Reid Wightman

JSON