Device Access Vulnerability in Johnson Controls Products
CVE-2025-43875

8.7HIGH

Key Information:

Vendor: Johnson Controls
Status: Istar Ultra, Istar Ultra Se; Istar Ultra G2, Istar Ultra G2 Se, Istar Edge G2
Vendor: CVE Published:; 24 December 2025

🔔 Create Johnson Controls Vulnerability Alert

What is CVE-2025-43875?

A security misconfiguration vulnerability exists in Johnson Controls Smart Security Devices that could allow an unauthorized user to gain access to the device under specific conditions. This exploitation can lead to unauthorized control and potential data breaches, emphasizing the importance of implementing recommended security practices to mitigate any risk of unauthorized access.

Affected Version(s)

iSTAR Ultra G2, iSTAR Ultra G2 SE, iSTAR Edge G2 0 <= 6.9.2

iSTAR Ultra, iSTAR Ultra SE 0 <= 6.9.7

References

https://www.johnsoncontrols.com/trust-center/cybersecurit...

https://www.cisa.gov/news-events/ics-advisories/icsa-25-3...

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 24, 2025
Vulnerability Reserved
Apr 17, 2025

Credit

Johnson Controls reported these vulnerabilities to CISA.

JSON