CVE-2025-26386
📋 TL;DR
Johnson Controls iSTAR Configuration Utility (ICU) versions 6.9.7 and earlier contain a stack-based buffer overflow vulnerability (CWE-121). This could allow attackers to crash the operating system of the machine running the ICU tool, potentially leading to denial of service or arbitrary code execution. Organizations using iSTAR Configuration Utility for building automation systems are affected.
💻 Affected Systems
- Johnson Controls iSTAR Configuration Utility (ICU)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise of the host machine, potentially allowing attackers to pivot to other building automation systems or corporate networks.
Likely Case
Denial of service causing the ICU tool to crash and potentially disrupting building automation configuration and management operations.
If Mitigated
Limited impact if the tool is isolated on a dedicated management network with strict access controls and monitoring.
🎯 Exploit Status
Buffer overflow vulnerabilities typically require some technical expertise to exploit, but stack-based overflows are well-understood attack vectors. The advisory suggests exploitation could cause OS failure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Johnson Controls advisory for latest patched version
Vendor Advisory: https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories
Restart Required: Yes
Instructions:
1. Review Johnson Controls security advisory ICSA-26-022-04
2. Download and install the latest version of iSTAR Configuration Utility from Johnson Controls
3. Restart the system after installation
4. Verify the update was successful
🔧 Temporary Workarounds
Network Segmentation
allIsolate the ICU tool on a dedicated management VLAN with strict firewall rules limiting access to authorized personnel only.
Access Control
windowsImplement strict user access controls and ensure only necessary personnel have permissions to run the ICU tool.
🧯 If You Can't Patch
- Segment the network to isolate the ICU tool from critical systems and internet access.
- Implement application allowlisting to prevent unauthorized execution of the ICU tool.
🔍 How to Verify
Check if Vulnerable:
Check the ICU version in the application's About menu or Help > About section. If version is 6.9.7 or earlier, the system is vulnerable.Check Version:
Typically checked through the application GUI (Help > About). No standard command-line version check available.Verify Fix Applied:
After updating, verify the version number shows a version higher than 6.9.7 and test basic ICU functionality to ensure the patch didn't break core features.📡 Detection & Monitoring
Log Indicators:
- Application crashes of iSTAR Configuration Utility
- Unexpected process terminations
- Memory access violation errors in Windows Event Logs
Network Indicators:
- Unusual network traffic to/from the ICU tool's management port
- Connection attempts from unauthorized IP addresses
SIEM Query:
source="windows" AND (event_id=1000 OR event_id=1001) AND process_name="*istar*" OR source="firewall" AND dest_port=[ICU_PORT] AND NOT src_ip IN [AUTHORIZED_IPS]