Software House iSTAR Door Controllers: Unauthenticated ICU Communications Allow Door Manipulation

Summary

iSTAR door controllers running firmware older than 6.6.B do not authenticate the channel they use to talk to the iSTAR Configuration Utility, so an attacker positioned on the network can impersonate the management tool and push configuration to the controller without credentials. That foothold can be used to alter door behavior, reader assignments, and controller settings on a system that governs physical entry. Several legacy iSTAR models (Pro, Edge, eX) and the ICU tool itself have no fixed firmware and require compensating network controls or hardware replacement.

Affected products

Impact

An unauthenticated attacker with network access can gain unauthorized control of the controller's configuration channel (CVSS 3.1 base 9.1, vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H; Johnson Controls CVSS 4.0 base 8.8). This threatens the integrity and availability of access decisions across doors managed by the affected iSTAR, including the ability to reconfigure or disrupt controllers tied to the C-CURE 9000 head end.

Remediation

Upgrade iSTAR Ultra and Ultra LT to firmware 6.6.B or later, which enables authenticated ICU communications; for Pro, Edge, and eX models that have no fix, isolate them on a segmented network, restrict ICU access to a dedicated management host, and plan migration to a supported controller. Follow the Johnson Controls product security advisory and CISA ICSA-24-158-04, minimize network exposure, and never expose controllers to the internet. Uniqcli Security can audit your iSTAR firmware levels, segment the access-control network, and engineer a phased upgrade or rip-and-replace plan to current iSTAR Ultra G2 hardware under a TAA/NDAA-compliant bill of materials.

Sources

• https://nvd.nist.gov/vuln/detail/CVE-2024-32752
• https://www.cisa.gov/news-events/ics-advisories/icsa-24-158-04