CVE-2025-43873 is an OS command injection vulnerability (CWE-78) identified in several Johnson Control iSTAR Ultra series devices, including iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2. The vulnerability arises from improper neutralization of special elements in OS commands, allowing an attacker with low-level privileges to inject and execute arbitrary commands on the underlying operating system. This can lead to unauthorized modification of device firmware, effectively granting full control over the affected device. The CVSS 4.0 base score of 8.7 reflects a high severity, with network attack vector (AV:N), low attack complexity (AC:L), no user interaction (UI:N), and no privileges required (PR:L) beyond low-level access. The vulnerability impacts confidentiality, integrity, and availability at a high level, as attackers can alter firmware and potentially disrupt or manipulate physical access control systems. Although no public exploits are currently known, the nature of the vulnerability makes it a critical risk once weaponized. The affected devices are widely used in physical security environments to control access to buildings and secure areas, making this vulnerability a significant threat to organizational security postures. The lack of available patches at the time of publication necessitates immediate mitigation efforts to reduce exposure.

For European organizations, the impact of CVE-2025-43873 is substantial. These devices often serve as critical components in physical security infrastructures, controlling access to sensitive facilities such as data centers, government buildings, and industrial plants. Successful exploitation could allow attackers to bypass physical security controls by modifying firmware, potentially enabling unauthorized entry or disabling security mechanisms. This could lead to theft, espionage, sabotage, or disruption of essential services. The compromise of device integrity also undermines trust in security monitoring and incident response capabilities. Given the high integration of Johnson Controls products in Europe’s critical infrastructure sectors, including energy, transportation, and public administration, the vulnerability poses a direct threat to national security and business continuity. Additionally, the ability to execute OS commands remotely without user interaction increases the likelihood of automated or large-scale attacks, amplifying potential damage.

1. Immediately restrict network access to the management interfaces of affected iSTAR Ultra devices using network segmentation and firewall rules, allowing only trusted administrative hosts. 2. Implement strict access controls and monitoring on devices to detect anomalous command execution or firmware changes. 3. Deploy intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics targeting OS command injection patterns specific to these devices. 4. Coordinate with Johnson Controls to obtain and apply security patches or firmware updates as soon as they become available. 5. Conduct thorough audits of device configurations and logs to identify any signs of compromise or attempted exploitation. 6. Employ multi-factor authentication and limit administrative privileges to reduce the risk of privilege escalation. 7. Consider temporary compensating controls such as disabling remote management features if not essential. 8. Train security teams on the specifics of this vulnerability to enhance detection and response capabilities.