CVE-2025-26383 is a medium severity vulnerability identified in the Johnson Controls iSTAR Configuration Utility (ICU), a tool used for configuring iSTAR access control systems. The vulnerability is classified under CWE-457, which pertains to the use of uninitialized variables. Specifically, the ICU tool leaks memory due to uninitialized variables, potentially exposing unauthorized data from the Windows PC on which the utility is running. This memory leakage could allow an attacker with network access to the system to retrieve sensitive information that resides in the leaked memory areas. The CVSS 4.0 base score is 6.3, indicating a medium severity level. The attack vector is adjacent network (AV:A), meaning the attacker must have access to the same local network or a logically adjacent network segment. The attack complexity is low (AC:L), and no privileges (PR:N) or user interaction (UI:N) are required to exploit the vulnerability. The impact is limited to confidentiality (VC:L) with no impact on integrity or availability. The scope is high (SC:H), indicating that the vulnerability affects components beyond the initially vulnerable component, potentially impacting other system components or connected systems. No known exploits are currently reported in the wild, and no patches have been released yet. The vulnerability was reserved in February 2025 and published in June 2025. Given the nature of the vulnerability, it primarily risks unauthorized disclosure of sensitive information from the host machine running the ICU tool, which could include configuration details or credentials related to the access control system.

For European organizations, especially those in critical infrastructure sectors such as government buildings, transportation hubs, healthcare facilities, and corporate offices that utilize Johnson Controls iSTAR access control systems, this vulnerability poses a risk of unauthorized data exposure. The leaked memory could contain sensitive configuration data or credentials that attackers might leverage to escalate privileges or move laterally within the network. Although the vulnerability does not directly allow system compromise or denial of service, the confidentiality breach could facilitate further attacks against physical security systems or corporate networks. The requirement for adjacent network access limits remote exploitation but does not eliminate risk within internal networks or compromised segments. Organizations with large deployments of Johnson Controls access control solutions may face increased risk due to the potential for aggregated sensitive data exposure. Additionally, the high scope impact suggests that exploitation could affect multiple components or systems interconnected with the ICU tool, amplifying the potential damage. The absence of known exploits in the wild provides a window for mitigation, but organizations should act proactively given the strategic importance of physical security systems in Europe.

European organizations should implement the following specific mitigation measures: 1) Restrict network access to the ICU tool by segmenting the network and applying strict firewall rules to limit access only to authorized administrators and management systems. 2) Monitor network traffic for unusual access patterns or data exfiltration attempts from systems running the ICU tool. 3) Conduct an inventory of all systems running the iSTAR Configuration Utility and isolate them from less trusted network zones. 4) Apply principle of least privilege to user accounts managing the ICU tool to minimize potential exposure. 5) Since no patch is currently available, consider deploying host-based memory protection tools or endpoint detection and response (EDR) solutions that can detect anomalous memory access or leakage. 6) Engage with Johnson Controls for updates on patches or workarounds and plan for prompt deployment once available. 7) Educate IT and security teams about the vulnerability specifics to ensure rapid identification and response to any suspicious activity related to the ICU tool. 8) Regularly audit and review access control configurations to detect unauthorized changes that could be facilitated by leaked credentials or configuration data.