CVE-2025-43876 is an OS command injection vulnerability classified under CWE-78, affecting Johnson Controls iSTAR Ultra and iSTAR Ultra SE access control devices. The vulnerability stems from improper neutralization of special characters in operating system commands, which allows an attacker to inject and execute arbitrary OS commands. The CVSS 4.0 score of 8.7 (high severity) reflects the vulnerability's network attack vector (AV:N), low attack complexity (AC:L), no required authentication (AT:N), and no user interaction (UI:N). However, it requires low privileges (PR:L), indicating that an attacker must have some limited access to the device or network to exploit it. The impact metrics indicate high confidentiality, integrity, and availability impacts (VC:H, VI:H, VA:H), meaning exploitation could fully compromise the device and its functions. The vulnerability does not require user interaction or scope changes, making it a direct threat to the affected devices. The iSTAR Ultra series are widely used in physical security systems for access control, making this vulnerability critical as it could allow attackers to bypass security controls, manipulate access permissions, or disrupt security operations. No patches or known exploits are currently available, but the vulnerability's nature suggests it could be weaponized once exploit code is developed.

For European organizations, the impact of CVE-2025-43876 could be severe, especially for those relying on Johnson Controls iSTAR Ultra and iSTAR Ultra SE devices for physical security and access control. Exploitation could lead to unauthorized access to secure facilities, manipulation or disabling of access control systems, and potential lateral movement within corporate networks. This could result in data breaches, theft of intellectual property, or sabotage of critical infrastructure. The high confidentiality, integrity, and availability impact ratings indicate that attackers could gain full control over the affected devices, undermining trust in physical security measures. Organizations in sectors such as government, finance, healthcare, and critical infrastructure are particularly at risk. The lack of patches increases the urgency for proactive mitigation. Additionally, the vulnerability could be exploited as part of a multi-stage attack targeting broader network compromise or espionage campaigns within Europe.

Given the absence of official patches, European organizations should implement immediate compensating controls. First, restrict network access to iSTAR Ultra devices by isolating them on dedicated VLANs or network segments with strict firewall rules, limiting communication to only trusted management stations. Enforce strong authentication and authorization policies to minimize the number of users with even low-level privileges on these devices. Monitor device logs and network traffic for unusual command execution patterns or unexpected connections indicative of exploitation attempts. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect OS command injection signatures. Regularly audit device configurations and firmware versions to identify any unauthorized changes. Coordinate with Johnson Controls for timely updates and subscribe to their security advisories. Consider deploying endpoint detection and response (EDR) solutions on management workstations to detect lateral movement attempts. Finally, develop and test incident response plans specifically addressing potential physical security system compromises.