CVE-2025-43873

Vulnerability

Overview CVE-2025-43873 is an OS command injection vulnerability (CWE-78) affecting Johnson Controls iSTAR Ultra, Ultra SE, Ultra LT (versions prior to 6.9.7.CU01) and Ultra G2, Ultra G2 SE, Edge G2 (versions prior to 6.9.3). The flaw stems from improper neutralization of special elements used in OS commands, enabling an attacker to inject arbitrary commands into the device's operating system [2].

Exploitation

Details The vulnerability is remotely exploitable with low attack complexity. An attacker must have low-privileged access to the device (e.g., a valid user account) but no special network position is required beyond network connectivity. The CVSS v3.1 vector string (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) confirms that authentication is required but at a low privilege level [2].

Impact

Successful exploitation allows an attacker to execute arbitrary OS commands, modify firmware, and gain full administrative control of the affected door controller. This could compromise physical security systems, enabling unauthorized access to secured areas. The vulnerability carries a CVSS v3.1 base score of 8.8 (High) and a CVSS v4 base score of 8.7 (High) [2].

Mitigation

Johnson Controls has released security advisories (see [1]) and recommends updating iSTAR Ultra series to version 6.9.7.CU01 or later, and iSTAR Ultra G2, Ultra G2 SE, and Edge G2 to version 6.9.3 or later. No workarounds have been published; applying the firmware updates is the only known mitigation [1][2].