Firmware Modification Vulnerability in Johnson Controls Products
CVE-2025-43873

8.7HIGH

Key Information:

Vendor: Johnson Control
Status: Istar Ultra, Istar Ultra Se, Istar Ultra G2, Istar Ultra G2 Se, Istar Edge G2
Vendor: CVE Published:; 17 December 2025

🔔 Create Johnson Control Vulnerability Alert

What is CVE-2025-43873?

This vulnerability could allow an attacker to alter firmware within Johnson Controls devices, potentially leading to unauthorized control and access. Exploitation may compromise device integrity, making it crucial for organizations using affected products to prioritize security measures and updates. Stay informed by consulting cybersecurity advisories and patches provided by Johnson Controls.

Affected Version(s)

iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, iSTAR Edge G2 0 <= 6.9.3

References

https://www.johnsoncontrols.com/trust-center/cybersecurit...

https://www.cisa.gov/news-events/ics-advisories/icsa-25-3...

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 17, 2025
Vulnerability Reserved
Apr 17, 2025

Credit

Reid Wightman of Dragos reported these vulnerabilities to CISA.

JSON