CVE-2025-43875 is an OS command injection vulnerability classified under CWE-78, found in Johnson Controls' iSTAR Ultra and iSTAR Ultra SE security devices. The flaw exists in the web application interface, which under certain conditions improperly sanitizes user input before incorporating it into OS commands. This improper neutralization allows an authenticated attacker with limited privileges to escalate their access to root-level control of the device by injecting malicious commands. The vulnerability does not require user interaction and can be exploited remotely over the network, increasing its risk profile. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no user interaction (UI:N), and privileges required are low (PR:L), with high impact on confidentiality, integrity, and availability (VC:H/VI:H/VA:H). The affected versions are not explicitly enumerated beyond a placeholder, suggesting all current versions may be vulnerable. No patches or known exploits are currently public, but the potential for severe impact on device control and security posture is significant. These devices are often used in physical access control systems, meaning exploitation could lead to unauthorized physical access, data compromise, or disruption of security services.

For European organizations, this vulnerability threatens both cybersecurity and physical security domains. Compromise of iSTAR Ultra devices could allow attackers to gain root access, enabling them to manipulate access control systems, disable alarms, or exfiltrate sensitive security data. This could lead to unauthorized physical entry into secure facilities, data breaches, or sabotage of critical infrastructure. The high CVSS score reflects the broad impact on confidentiality, integrity, and availability of the affected systems. Organizations in sectors such as government, finance, healthcare, and critical infrastructure that rely on Johnson Controls products are particularly at risk. The ability to exploit remotely without user interaction increases the threat surface, especially if internal network segmentation and access controls are weak. The absence of known exploits currently provides a window for proactive mitigation before widespread exploitation occurs.

1. Immediately verify if your Johnson Controls iSTAR Ultra or iSTAR Ultra SE devices are affected and prioritize patching once vendor updates become available. 2. Until patches are released, restrict access to the web management interface to trusted administrative networks only, using network segmentation and firewall rules. 3. Enforce strong authentication mechanisms and limit user privileges to the minimum necessary to reduce the risk of privilege escalation. 4. Monitor device logs and network traffic for unusual command execution patterns or unauthorized access attempts. 5. Implement multi-factor authentication (MFA) for device management interfaces where possible. 6. Conduct regular security audits and penetration testing focused on physical security systems. 7. Engage with Johnson Controls support channels for updates and guidance. 8. Consider deploying intrusion detection/prevention systems (IDS/IPS) tuned to detect command injection attempts targeting these devices. 9. Maintain an incident response plan specific to physical security system compromises.