CVE-2025-43873 is an OS command injection vulnerability (CWE-78) identified in Johnson Control's iSTAR Ultra series (including iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE) and iSTAR Edge G2 access control devices. The vulnerability arises from improper neutralization of special elements in OS commands, allowing an attacker to inject and execute arbitrary commands on the underlying operating system. This flaw can be exploited remotely over the network without requiring user interaction or authentication, though it requires low privileges (PR:L). Successful exploitation can lead to modification of the device firmware, effectively granting full control over the device. The CVSS 4.0 base score is 8.7 (high severity), reflecting the critical impact on confidentiality, integrity, and availability (all rated high), with low attack complexity and no user interaction needed. The vulnerability was reserved in April 2025 and published in December 2025, with no known exploits currently observed in the wild. The affected devices are commonly used in physical security environments to control access to facilities, making this vulnerability particularly dangerous as it could enable attackers to bypass physical security controls, disrupt operations, or establish persistent footholds within enterprise environments.

For European organizations, the impact of CVE-2025-43873 is significant due to the widespread use of Johnson Control's access control systems in commercial buildings, government facilities, and critical infrastructure. Exploitation could lead to unauthorized modification of device firmware, resulting in loss of device integrity and potential takeover of physical security controls. This could facilitate unauthorized physical access, data breaches, or sabotage of security systems. The compromise of these devices could also serve as a pivot point for further network intrusion, threatening broader IT infrastructure. Disruption or manipulation of access control systems could cause operational downtime and damage organizational reputation. Given the high confidentiality, integrity, and availability impact, organizations face risks including regulatory non-compliance and financial losses. The lack of authentication requirement for exploitation increases the threat surface, especially for devices exposed to less secure network segments or insufficiently segmented management networks.

1. Apply vendor patches immediately once released to remediate the vulnerability. 2. Until patches are available, restrict network access to the management interfaces of affected devices using network segmentation, firewalls, and access control lists to limit exposure. 3. Implement strict monitoring and logging of device activity to detect anomalous commands or firmware changes. 4. Employ network intrusion detection/prevention systems (IDS/IPS) tuned to detect OS command injection patterns targeting these devices. 5. Conduct regular security audits and vulnerability assessments on physical security infrastructure. 6. Enforce the principle of least privilege for device management accounts and ensure strong authentication mechanisms are in place. 7. Isolate access control devices from general user networks and the internet to reduce attack vectors. 8. Develop incident response plans specific to physical security device compromise scenarios. 9. Educate security teams about this vulnerability and encourage proactive threat hunting for signs of exploitation.