CISA Publishes ICS Advisories Highlighting New Vulnerabilities and Exploits

On May 27, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a new Industrial Control Systems (ICS) advisory—ICSA-25-146-01—highlighting a significant security vulnerability in the Johnson Controls iSTAR Configuration Utility (ICU) Tool.

This tool is widely deployed for configuring and managing access control systems across critical infrastructure sectors, including commercial facilities, energy, government services, and transportation systems.

The vulnerability, tracked as CVE-2025-26383, centers on the “Use of Uninitialized Variable” (Common Weakness Enumeration: CWE-457) in all ICU Tool versions before 6.9.5.

Security researcher Reid Wightman of Dragos, Inc. reported the flaw, which can lead to memory leakage.

This means sensitive data, such as user credentials, configuration settings, or cryptographic materials, could be inadvertently exposed to an attacker with access to the affected system.

Technical Details and Risk Evaluation

The severity of CVE-2025-26383 is underscored by its Common Vulnerability Scoring System (CVSS) ratings.

Under CVSS v3.1, the base score is 7.4 (vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating a high risk due to the potential compromise of confidentiality.

The updated CVSS v4.0 base score is 6.3 (vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N), reflecting refined threat modeling and environmental factors.

Key technical points include:

• Attack Complexity: Low; no extraordinary skills or prerequisites required.
• Attack Vector: Adjacent network (AV:A); attacker must have local or network proximity.
• Potential Impact: Confidentiality is at risk, but there is no direct threat to system integrity or availability, meaning no arbitrary code execution or denial of service is possible through this flaw.

The ICU Tool’s deep integration within physical security frameworks amplifies the risk, as exploitation could allow attackers to obtain unauthorized access or tamper with access control settings in sensitive environments.

Mitigation Strategies and Best Practices

Johnson Controls has responded by releasing ICU Tool version 6.9.5, which addresses the vulnerability.

CISA and Johnson Controls recommend the following mitigation steps:

• Immediate Update: Upgrade all ICU Tool instances to version 6.9.5 or later. Download the installer from official Johnson Controls channels and verify its integrity.
• Network Segmentation: Isolate ICS and Building Management Systems (BMS) from enterprise networks using firewalls and access controls. Limit communication between segments to only what is necessary.
• Remote Access Controls: Restrict and monitor VPN usage, ensuring both VPN endpoints and connected devices are fully patched.
• Audit and Monitoring: Review system logs for unusual access or data leakage. Regularly audit user accounts and permissions.
• Defense-in-Depth: Employ multiple layers of security, including strong authentication, centralized logging, and periodic security assessments.

CISA further advises minimizing network exposure for all control system devices, ensuring they are not accessible from the Internet, and performing thorough impact analysis before deploying defensive measures.

No known public exploitation of this vulnerability has been reported as of the advisory’s release.

This incident underscores the critical importance of proactive vulnerability management and robust cybersecurity practices in industrial environments, where the intersection of digital and physical security is increasingly targeted by sophisticated threat actors.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!