Johnson Controls iSTAR Configuration Utility < 6.9.8 Stack-based Buffer Overflow

The version of Johnson Controls iSTAR Configuration Utility ICU installed on the remote Windows host is prior to 6.9.8. It is, therefore, affected by a stack-based buffer overflow vulnerability that could result in failure within the operating system of the machine hosting the ICU tool. Note that...

CVE-2025-26386

Johnson Controls iSTAR Configuration Utility ICU has Stack-based Buffer Overflow vulnerability. This issue affects iSTAR Configuration Utility ICU version 6.9.7 and prior. Successful exploitation of this vulnerability could result in failure within the operating system of the machine hosting the...

CVE-2025-26386

Johnson Controls iSTAR Configuration Utility ICU has Stack-based Buffer Overflow vulnerability. This issue affects iSTAR Configuration Utility ICU version 6.9.7 and prior. Successful exploitation of this vulnerability could result in failure within the operating system of the machine hosting the...

CVE-2025-26386 Stack-based Buffer Overflow in Johnson Controls iSTAR Configuration Utility (ICU) tool

Johnson Controls iSTAR Configuration Utility ICU has Stack-based Buffer Overflow vulnerability. This issue affects iSTAR Configuration Utility ICU version 6.9.7 and prior. Successful exploitation of this vulnerability could result in failure within the operating system of the machine hosting the...

CVE-2025-26386 Stack-based Buffer Overflow in Johnson Controls iSTAR Configuration Utility (ICU) tool

Johnson Controls iSTAR Configuration Utility ICU has Stack-based Buffer Overflow vulnerability. This issue affects iSTAR Configuration Utility ICU version 6.9.7 and prior. Successful exploitation of this vulnerability could result in failure within the operating system of the machine hosting the...

EUVD-2025-206488

Johnson Controls iSTAR Configuration Utility ICU has Stack-based Buffer Overflow vulnerability. This issue affects iSTAR Configuration Utility ICU version 6.9.7 and prior. Successful exploitation of this vulnerability could result in failure within the operating system of the machine hosting the...

CVE-2025-26386

Johnson Controls iSTAR Configuration Utility ICU has Stack-based Buffer Overflow vulnerability. This issue affects iSTAR Configuration Utility ICU version 6.9.7 and prior. Successful exploitation of this vulnerability could result in failure within the operating system of the machine hosting the...

CVE-2025-26386

Johnson Controls iSTAR Configuration Utility (ICU) on Windows is affected by a stack-based buffer overflow in ICU versions up to and including 6.9.7 (prior to 6.9.8). Successful exploitation could cause the host OS to fail, per NVD/Red Hat/Nessus/ICS advisories. A fixed version, ICU 6.9.8, is ref...

PT-2026-5091

Johnson Controls iSTAR Configuration Utility ICU has Stack-based Buffer Overflow vulnerability. This issue affects iSTAR Configuration Utility ICU version 6.9.7 and prior. Successful exploitation of this vulnerability could result in failure within the operating system of the machine hosting the...

Johnson Controls iSTAR Configuration Utility security vulnerability

Johnson Controls iSTAR Configuration Utility is a software tool developed by Johnson Controls for configuring and managing iSTAR Controllers. Versions of the ICU 6.9.7 and earlier contain security vulnerabilities; these vulnerabilities stem from stack buffer overflows, which may lead to operating...

Johnson Controls Inc. iSTAR Configuration Utility (ICU) tool

RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to cause a failure within the operating system of the machine hosting the ICU tool. 2. RECOMMENDED PRACTICES CISA recommends users take defensive measures to minimize the risk of exploitation of this...

CVE-2025-43876 iSTAR Ultra, Ultra SE, Ultra G2, Ultra G2 SE, iSTAR Edge G2 - Authenticated web application command injection - get8021xSettings

Under certain circumstances a successful exploitation could result in access to the device...

CVE-2025-43876

CVE-2025-43876 affects Johnson Controls iSTAR family (Ultra, Ultra SE, Ultra G2, Ultra G2 SE, iSTAR Edge G2). It is described as an authenticated web application command injection impacting get8021xSettings, with a root cause leading to unauthorized device access under certain circumstances. Publ...

CVE-2025-43876 iSTAR Ultra, Ultra SE, Ultra G2, Ultra G2 SE, iSTAR Edge G2 - Authenticated web application command injection - get8021xSettings

Under certain circumstances a successful exploitation could result in access to the device...

CVE-2025-43875 iSTAR Ultra, Ultra SE, Ultra G2, Ultra G2 SE, iSTAR Edge G2 - Authenticated web application command injection - getOptionsInfo

Under certain circumstances a successful exploitation could result in access to the device...

CVE-2025-43875

CVE-2025-43875 is associated with Johnson Controls iSTAR product family (iSTAR Ultra, Ultra SE, Ultra G2, Ultra G2 SE, and iSTAR Edge G2). Connected records describe an authenticated web application command injection labeled as getOptionsInfo, indicating a web-application vector that could lead t...

CVE-2025-43875 iSTAR Ultra, Ultra SE, Ultra G2, Ultra G2 SE, iSTAR Edge G2 - Authenticated web application command injection - getOptionsInfo

Under certain circumstances a successful exploitation could result in access to the device...

Johnson Controls多款产品 安全漏洞

Johnson Controls iSTAR Ultra and others are products of Johnson Controls, Inc.Johnson Controls iSTAR Ultra is an access controller.Johnson Controls iSTAR Ultra SE is an access controller software. Johnson Controls iSTAR Ultra G2 is an access control controller software. A security vulnerability...

Johnson Controls多款产品 安全漏洞

Johnson Controls iSTAR Ultra and others are products of Johnson Controls, Inc.Johnson Controls iSTAR Ultra is an access controller.Johnson Controls iSTAR Ultra SE is an access controller software. Johnson Controls iSTAR Ultra G2 is an access control controller software. A security vulnerability...

CVE-2025-43873

Johnson Controls iSTAR Ultra/Ultra SE/Ultra LT (versions prior to 6.9.7.CU01) and Ultra G2/Edge G2 (prior to 6.9.3) are affected by an OS Command Injection vulnerability in the web application that could allow an attacker to modify firmware and gain full device control. Root cause: authenticated ...