Security Flaw in Johnson Controls' Products Allowing Unauthorized Device Access
CVE-2025-43876

8.7HIGH

Key Information:

Vendor: Johnson Controls
Status: Istar Ultra, Istar Ultra Se; Istar Ultra G2, Istar Ultra G2 Se, Istar Edge G2
Vendor: CVE Published:; 24 December 2025

🔔 Create Johnson Controls Vulnerability Alert

What is CVE-2025-43876?

This security flaw in Johnson Controls' product line enables potential attackers to gain unauthorized access under specific conditions. If exploited, the vulnerability may allow for intrusive actions that can compromise device integrity and user safety. It is crucial for users of affected products to stay informed and apply necessary patches to mitigate risks.

Affected Version(s)

iSTAR Ultra G2, iSTAR Ultra G2 SE, iSTAR Edge G2 0 <= 6.9.2

iSTAR Ultra, iSTAR Ultra SE 0 <= 6.9.7

References

https://www.johnsoncontrols.com/trust-center/cybersecurit...

https://www.cisa.gov/news-events/ics-advisories/icsa-25-3...

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 24, 2025
Vulnerability Reserved
Apr 17, 2025

Credit

Johnson Controls reported these vulnerabilities to CISA.

JSON