Johnson Controls iSTAR: Remote OS Command Flaws Discovery
🔒 Johnson Controls disclosed two command-injection vulnerabilities in its iSTAR series (CVE-2025-43875, CVE-2025-43876). Both are classified as CWE-78 and carry high severity (CVSS v3.1 8.8; CVSS v4 8.7), exploitable remotely with low complexity. Johnson Controls and CISA advise upgrading affected devices to the fixed firmware and applying network isolation and secure remote-access controls.
