Skip to main content

CVE-2025-26383: CWE-457: Use of Uninitialized Variable in Johnson Controls iSTAR Configuration Utility (ICU)

Medium
VulnerabilityCVE-2025-26383cvecve-2025-26383cwe-457
Published: Wed Jun 11 2025 (06/11/2025, 15:36:41 UTC)
Source: CVE Database V5
Vendor/Project: Johnson Controls
Product: iSTAR Configuration Utility (ICU)

Description

The iSTAR Configuration Utility (ICU) tool leaks memory, which could result in the unintended exposure of unauthorized data from the Windows PC that ICU is running on.

AI-Powered Analysis

AILast updated: 07/12/2025, 08:16:40 UTC

Technical Analysis

CVE-2025-26383 is a medium severity vulnerability identified in the Johnson Controls iSTAR Configuration Utility (ICU), a tool used for configuring iSTAR access control systems. The vulnerability is classified under CWE-457, which pertains to the use of uninitialized variables. Specifically, the ICU tool leaks memory due to uninitialized variables, potentially exposing unauthorized data from the Windows PC on which the utility is running. This memory leakage could allow an attacker with network access to the system to retrieve sensitive information that resides in the leaked memory areas. The CVSS 4.0 base score is 6.3, indicating a medium severity level. The attack vector is adjacent network (AV:A), meaning the attacker must have access to the same local network or a logically adjacent network segment. The attack complexity is low (AC:L), and no privileges (PR:N) or user interaction (UI:N) are required to exploit the vulnerability. The impact is limited to confidentiality (VC:L) with no impact on integrity or availability. The scope is high (SC:H), indicating that the vulnerability affects components beyond the initially vulnerable component, potentially impacting other system components or connected systems. No known exploits are currently reported in the wild, and no patches have been released yet. The vulnerability was reserved in February 2025 and published in June 2025. Given the nature of the vulnerability, it primarily risks unauthorized disclosure of sensitive information from the host machine running the ICU tool, which could include configuration details or credentials related to the access control system.

Potential Impact

For European organizations, especially those in critical infrastructure sectors such as government buildings, transportation hubs, healthcare facilities, and corporate offices that utilize Johnson Controls iSTAR access control systems, this vulnerability poses a risk of unauthorized data exposure. The leaked memory could contain sensitive configuration data or credentials that attackers might leverage to escalate privileges or move laterally within the network. Although the vulnerability does not directly allow system compromise or denial of service, the confidentiality breach could facilitate further attacks against physical security systems or corporate networks. The requirement for adjacent network access limits remote exploitation but does not eliminate risk within internal networks or compromised segments. Organizations with large deployments of Johnson Controls access control solutions may face increased risk due to the potential for aggregated sensitive data exposure. Additionally, the high scope impact suggests that exploitation could affect multiple components or systems interconnected with the ICU tool, amplifying the potential damage. The absence of known exploits in the wild provides a window for mitigation, but organizations should act proactively given the strategic importance of physical security systems in Europe.

Mitigation Recommendations

European organizations should implement the following specific mitigation measures: 1) Restrict network access to the ICU tool by segmenting the network and applying strict firewall rules to limit access only to authorized administrators and management systems. 2) Monitor network traffic for unusual access patterns or data exfiltration attempts from systems running the ICU tool. 3) Conduct an inventory of all systems running the iSTAR Configuration Utility and isolate them from less trusted network zones. 4) Apply principle of least privilege to user accounts managing the ICU tool to minimize potential exposure. 5) Since no patch is currently available, consider deploying host-based memory protection tools or endpoint detection and response (EDR) solutions that can detect anomalous memory access or leakage. 6) Engage with Johnson Controls for updates on patches or workarounds and plan for prompt deployment once available. 7) Educate IT and security teams about the vulnerability specifics to ensure rapid identification and response to any suspicious activity related to the ICU tool. 8) Regularly audit and review access control configurations to detect unauthorized changes that could be facilitated by leaked credentials or configuration data.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
jci
Date Reserved
2025-02-07T14:15:53.880Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 6849a69523110031d4103be8

Added to database: 6/11/2025, 3:53:57 PM

Last enriched: 7/12/2025, 8:16:40 AM

Last updated: 7/30/2025, 4:17:10 PM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats