Johnson Controls has issued critical security advisories for its iSTAR family of door controllers, revealing two high-severity vulnerabilities that could allow attackers to execute arbitrary commands remotely. The vulnerabilities, tracked as CVE-2025-43875 and CVE-2025-43876, affect multiple iSTAR controller models and pose significant risks to physical security systems in commercial, government, and industrial facilities worldwide.

Critical Vulnerabilities in Physical Security Infrastructure

The newly disclosed vulnerabilities represent serious threats to building security systems that rely on Johnson Controls' iSTAR controllers for access management. According to security researchers, these flaws could enable unauthorized individuals to bypass physical security measures, manipulate door access controls, and potentially gain entry to restricted areas. The iSTAR controllers serve as critical components in integrated security systems, managing electronic door locks, access credentials, and entry logging across facilities.

CVE-2025-43875 has been identified as a command injection vulnerability that could allow authenticated attackers to execute arbitrary commands with elevated privileges. This vulnerability stems from improper input validation in the controller's web interface, where specially crafted requests could bypass security checks. Meanwhile, CVE-2025-43876 involves insufficient authentication mechanisms that could enable unauthorized command execution through network interfaces.

Technical Analysis of the Security Flaws

Security analysis reveals that both vulnerabilities affect the iSTAR Pro and iSTAR Ultra controllers running vulnerable firmware versions. These devices typically operate as part of larger security ecosystems, connecting to enterprise networks while managing physical access points. The command injection vulnerability specifically targets the web administration interface, where attackers could inject malicious commands through HTTP requests that the system fails to properly sanitize.

Research indicates that successful exploitation could allow attackers to:

  • Modify access control policies and permissions
  • Disable security monitoring and alerting functions
  • Manipulate door lock states and schedules
  • Access sensitive credential databases
  • Establish persistent backdoors in security infrastructure

Affected Products and Firmware Versions

Johnson Controls has identified multiple affected products in their security advisory. The vulnerable devices include:

  • iSTAR Pro controllers (multiple models)
  • iSTAR Ultra controllers
  • Related door control modules and expansion units

Firmware versions prior to the latest security patches contain the vulnerable code. Organizations using these controllers should immediately check their firmware versions against the patched releases specified in Johnson Controls' security bulletins. The company has released firmware updates addressing both vulnerabilities, though deployment may require careful planning due to the critical nature of these security systems.

Real-World Impact and Attack Scenarios

The practical implications of these vulnerabilities are particularly concerning given the role iSTAR controllers play in physical security. In a typical attack scenario, an attacker with network access to the controller could remotely manipulate door access without triggering security alerts. This could enable unauthorized physical access to sensitive areas, including server rooms, research laboratories, executive offices, or secure storage facilities.

Security experts note that these vulnerabilities are especially dangerous because they affect the boundary between digital and physical security. A successful exploit could allow attackers to bypass multiple layers of physical security by manipulating the electronic controls that manage door access. This creates potential pathways for theft, espionage, or sabotage activities that traditional network security measures might not detect.

Mitigation Strategies and Security Recommendations

Organizations using affected iSTAR controllers should implement several immediate security measures:

  1. Apply Firmware Updates: Immediately deploy the security patches provided by Johnson Controls for all affected iSTAR controllers. These updates address the command injection vulnerabilities and strengthen authentication mechanisms.

  2. Network Segmentation: Isolate door controller networks from general corporate networks using firewalls and VLAN segmentation. Restrict network access to controllers to authorized management stations only.

  3. Access Control Review: Audit and strengthen authentication credentials for all iSTAR controller administrative interfaces. Implement multi-factor authentication where supported.

  4. Monitoring and Logging: Enhance security monitoring for unusual access patterns or configuration changes to door controllers. Implement alerting for unauthorized access attempts.

  5. Regular Security Assessments: Conduct periodic vulnerability assessments of physical security systems, including penetration testing of access control infrastructure.

Industry Context and Broader Implications

These vulnerabilities in Johnson Controls' iSTAR controllers follow a pattern of increasing security concerns in physical access control systems. As building security systems become more interconnected with IT networks, they present attractive targets for cyber attackers seeking to bypass physical security measures. The convergence of physical and cybersecurity creates new attack surfaces that organizations must address through integrated security strategies.

The disclosure of CVE-2025-43875 and CVE-2025-43876 highlights the importance of security-by-design principles in physical security equipment. Manufacturers must implement robust input validation, proper authentication mechanisms, and regular security testing throughout product development cycles. Organizations deploying such systems should include them in their overall cybersecurity governance frameworks.

Long-Term Security Considerations

Beyond immediate patching, organizations should consider several long-term security enhancements for their physical access control systems:

  • Supply Chain Security: Evaluate the security practices of physical security equipment vendors during procurement processes
  • Incident Response Planning: Develop specific incident response procedures for physical security system compromises
  • Security Training: Include physical security systems in cybersecurity awareness training for IT and facilities staff
  • Regular Updates: Establish processes for regular security updates and patch management for all physical security devices
  • Defense in Depth: Implement multiple layers of security controls rather than relying solely on electronic access systems

Regulatory and Compliance Implications

Organizations in regulated industries may face additional compliance requirements related to these vulnerabilities. Industries such as healthcare, finance, government, and critical infrastructure have specific security standards that may require prompt remediation of such vulnerabilities. Failure to address these security flaws could potentially violate:

  • Data protection regulations when access controls protect sensitive information
  • Industry-specific security standards for physical protection of assets
  • Contractual obligations with clients or partners regarding facility security
  • Insurance requirements for physical security measures

Conclusion: Prioritizing Converged Security

The discovery of critical vulnerabilities in Johnson Controls' iSTAR door controllers serves as a stark reminder that physical security systems are increasingly vulnerable to cyber attacks. As organizations continue to digitize and interconnect their security infrastructure, they must apply the same rigorous security practices to physical access controls as they do to traditional IT systems. The convergence of physical and cybersecurity demands integrated approaches, regular vulnerability management, and ongoing security awareness across both domains.

Security teams should work closely with facilities management to ensure that physical security systems receive appropriate cybersecurity attention, including regular updates, proper network segmentation, and comprehensive monitoring. By treating physical security infrastructure as critical components of their overall security posture, organizations can better protect against threats that bridge the digital and physical worlds.