CVE-2024-32752 HIGH

CVE-2024-32752: Johnson Controls Software House iSTAR Configuration Utility (ICU) Tool

Vendor Johnson Controls
Product iSTAR Configuration Utility (ICU)
Weakness CWE-306 · Missing auth
Published June 6, 2024
Last update April 24, 2025

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The iSTAR door controllers running firmware prior to version 6.6.B, does not support authenticated communications with ICU, which may allow an attacker to gain unauthorized access

Key dates

02Disclosure timeline

June 6, 2024 CVE published
April 24, 2025 Record updated