CVE-2025-53696 is a critical vulnerability identified in the Johnson Controls, Inc iSTAR Ultra access control system firmware. The core issue stems from the device's firmware verification process during boot-up, which fails to inspect certain portions of the firmware image. This incomplete verification allows malicious code to reside undetected within these unchecked firmware segments. The vulnerability is categorized under CWE-494, which refers to the download of code without integrity checks, indicating that the system does not adequately validate the authenticity or integrity of all firmware components before execution. The affected firmware versions include those up to 6.9.2, with potential impact on later versions as well. The CVSS 4.0 base score of 9.3 reflects a critical severity level, highlighting the high impact on confidentiality, integrity, and availability, combined with relatively low attack complexity but requiring high privileges for exploitation. The vector metrics indicate that the attack requires local access (AV:L) and high privileges (PR:H), but no user interaction (UI:N) is needed. The vulnerability could allow an attacker with elevated privileges on the device to inject malicious code into the unchecked firmware sections, potentially leading to full compromise of the device's functionality, unauthorized access control manipulation, or persistent backdoors within physical security infrastructure. Although no known exploits are currently reported in the wild, the critical nature of the flaw and the strategic role of iSTAR Ultra in physical security systems make this a significant threat. Johnson Controls has not yet published patches, increasing the urgency for organizations to implement compensating controls and monitor for suspicious activity related to firmware integrity.

For European organizations, the impact of this vulnerability is substantial, especially for those relying on Johnson Controls iSTAR Ultra systems to secure physical premises such as corporate offices, government buildings, critical infrastructure, and data centers. Exploitation could lead to unauthorized physical access, allowing attackers to bypass security controls, manipulate access logs, or disable alarms. This undermines both physical security and potentially the cybersecurity posture if attackers gain entry to networked environments. The integrity of the firmware is crucial for maintaining trust in the device's operation; malicious firmware could also be used to establish persistent footholds or pivot to other networked systems. Given the criticality of the vulnerability and the lack of patches, European entities face increased risk of targeted attacks, especially those in sectors with high security requirements such as finance, energy, transportation, and government. The requirement for local high-privilege access limits remote exploitation but does not eliminate risk, as insider threats or attackers who have already compromised internal networks could leverage this vulnerability to escalate control over physical security systems.

1. Immediate mitigation should focus on restricting and monitoring access to iSTAR Ultra devices to trusted personnel only, enforcing strict privilege management to prevent unauthorized elevation to high privileges. 2. Implement network segmentation to isolate physical security devices from general IT networks, reducing the risk of lateral movement by attackers. 3. Employ continuous monitoring and logging of device firmware integrity and access control events to detect anomalies indicative of tampering. 4. Coordinate with Johnson Controls for timely updates and patches; once available, prioritize firmware upgrades to versions that address this vulnerability. 5. Consider deploying additional physical security layers (e.g., biometric verification, security guards) to compensate for potential firmware compromise. 6. Conduct regular security audits and penetration tests focusing on physical security systems to identify and remediate weaknesses. 7. Develop incident response plans specifically addressing scenarios involving physical security system compromise to ensure rapid containment and recovery.