CVE-2025-61736 is a vulnerability classified under CWE-298, indicating improper validation of certificate expiration in Johnson Controls' iSTAR product line, including iSTAReX, iSTAR Edge, iSTAR Ultra LT, iSTAR Ultra, and iSTAR Ultra SE. These products are widely used in physical access control and security management. The vulnerability arises because the affected devices fail to properly handle the expiration of their TLS certificates, resulting in an inability to re-establish secure communication once the certificate expires. This can cause the devices to lose connectivity with management systems or other networked components, effectively causing a denial of service condition. The affected versions are all iSTAR products prior to the implementation of TLS 1.2, indicating that older firmware or software versions are vulnerable. The CVSS 4.0 score is 7.1 (high), with an attack vector of adjacent network (AV:A), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and no impact on confidentiality, integrity, or availability directly, but a high impact on availability (VA:H). The vulnerability does not require authentication or user interaction, making it easier to exploit in environments where the attacker has network access. No patches or exploits are currently publicly available, but the risk lies in operational disruption of security systems dependent on these devices. The root cause is the failure to validate certificate expiration properly, a fundamental security control in TLS communications, which can be remediated by upgrading to versions supporting TLS 1.2 or later and ensuring certificate renewal processes are robust.

For European organizations, the impact of CVE-2025-61736 can be significant, especially for those relying on Johnson Controls' iSTAR series for physical access control and security management. The inability of devices to re-establish communication after certificate expiration can lead to denial of service conditions, disrupting access control systems and potentially locking out authorized personnel or disabling security monitoring. This disruption could affect critical infrastructure, corporate facilities, healthcare institutions, and government buildings, leading to operational downtime and increased security risks. Furthermore, the failure to maintain secure communications may expose organizations to secondary risks if fallback mechanisms are insecure or manual overrides are implemented. The impact is heightened in sectors with stringent security requirements and regulatory compliance obligations, such as finance, energy, and transportation. Given the widespread use of Johnson Controls products in Europe, the vulnerability could affect a broad range of organizations, potentially causing cascading effects on physical security and safety.

To mitigate CVE-2025-61736, European organizations should: 1) Immediately identify all affected Johnson Controls iSTAR devices running versions prior to TLS 1.2. 2) Upgrade firmware/software to versions supporting TLS 1.2 or later, which properly validate certificate expiration. 3) Implement proactive certificate lifecycle management, including automated monitoring and renewal of TLS certificates before expiration to prevent communication failures. 4) Conduct regular audits of device configurations and certificate statuses to detect impending expirations. 5) Isolate vulnerable devices on segmented networks to limit exposure until patches or upgrades are applied. 6) Develop and test incident response plans for access control system outages to minimize operational impact. 7) Engage with Johnson Controls support for guidance and potential interim mitigations. 8) Consider deploying network-level controls such as TLS inspection and anomaly detection to identify communication failures related to certificate issues. These steps go beyond generic advice by focusing on certificate lifecycle management and operational continuity planning specific to the affected products.