CVE-2025-53696 CRITICAL

CVE-2025-53696

Vendor Johnson Controls, Inc
Product iSTAR Ultra
Weakness CWE-494 · Download without integrity check
Published July 28, 2025
Last update August 19, 2025

CVSS base score

9.3/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

iSTAR Ultra performs a firmware verification on boot, however the verification does not inspect certain portions of the firmware. These firmware parts may contain malicious code. Tested up to firmware 6.9.2, later firmwares are also possibly affected.

Key dates

02Disclosure timeline

July 28, 2025 CVE published
August 19, 2025 Record updated