Your Access Control System May Be Your Biggest Cybersecurity Blind Spot

Recent CISA advisories targeting Johnson Controls iSTAR controllers are a wake-up call for every IT Manager still running on-premise physical security infrastructure.

When a Trusted Name Becomes a Liability

Johnson Controls and its Software House brand have long been considered among the most reputable names in commercial access control. Thousands of enterprise facilities across the country run iSTAR door controllers as the backbone of their physical security programs. That reputation is exactly what makes the recent wave of publicly disclosed vulnerabilities so significant.

Between 2024 and 2026, the Cybersecurity and Infrastructure Security Agency (CISA) issued multiple advisories documenting serious cybersecurity vulnerabilities in the Johnson Controls iSTAR product line, including the iSTAR Ultra, Ultra SE, G2, Edge G2, and the iSTAR Configuration Utility (ICU) tool. These are not theoretical risks. They are documented, catalogued, and publicly disclosed exploits that attackers can reference just as easily as your security team.

DOCUMENTED VULNERABILITIES: Johnson Controls iSTAR (2024-2026)

Unauthorized USB Console Access: Physical access to iSTAR Ultra and Edge G2 controllers running versions prior to 6.9 allows an attacker to access the USB console without authentication, bypassing physical security entirely.

Command Injection (CVE-2025-43875): Improper neutralization of OS command elements across iSTAR Ultra, SE, G2, and Edge G2 devices allows unauthorized command execution that can alter system behavior.

Stack-Based Buffer Overflow: The ICU tool (v6.9.7 and prior) carries stack-based buffer overflow vulnerabilities capable of causing full system failures and access control disruption.

Memory Leaks (CVE-2025-26383): The ICU tool leaks memory from the Windows PC running it, potentially exposing sensitive configuration data to unauthorized parties.

Machine-in-the-Middle Attacks (CVE-2024-32752): Attackers can intercept communication between the ICU tool and iSTAR Pro door controllers to inject commands or silently alter access configurations.

Source: CISA Advisory ICS-25-345-01 and Johnson Controls Trust Center

Why This Matters to IT Managers Specifically

Physical security has historically lived outside the IT conversation. Facilities owned it. Integrators installed it. IT was rarely in the room. That separation no longer holds.

Today, access control systems sit on your network. They communicate with your servers. They store credential data. They connect to your Active Directory. When a vulnerability is disclosed in an access control platform, it is not a facilities problem. It is an IT problem, and in many organizations it is an IT problem that nobody has formally accepted ownership of yet.

The iSTAR advisories make this concrete. A machine-in-the-middle attack that injects commands into your door controllers does not just unlock a door. It potentially exposes the network segment your access control system occupies, compromises audit records, and creates a vector into broader infrastructure. For organizations operating under compliance frameworks, the consequences extend well beyond physical security.

The On-Premise Problem Is Structural, Not Incidental

The iSTAR vulnerabilities are serious. But the more important conversation is about the structural disadvantage every on-premise access control system carries, regardless of manufacturer.

On-premise systems depend on manual firmware updates. Your team has to identify that an update exists, test it, schedule downtime, and execute the patch across every controller at every location. Research consistently shows that the vast majority of organizations running on-premise access control fall significantly behind on firmware maintenance. The iSTAR advisories recommend upgrading to ICU version 6.9.5 or greater and isolating control system networks behind firewalls. For a multi-site enterprise, executing that consistently and verifiably across dozens or hundreds of locations is a significant operational burden that most IT teams are not resourced to absorb.

Cloud-based access control systems eliminate this problem structurally. Security updates are deployed by the platform vendor in real time, across every connected device, without any action required by your internal team. There is no patch cycle to manage, no firmware version to track, and no gap between when a vulnerability is identified and when your systems are protected.

ON-PREMISE VS. CLOUD ACCESS CONTROL: What Changes for IT Teams

Firmware and Security Updates: On-premise requires manual identification, testing, scheduling, and execution at every site. Cloud platforms deploy updates automatically across all devices in real time.

Network Exposure: On-premise controllers must be manually isolated behind firewalls and VPNs. Cloud-native platforms are architected from the ground up to minimize network attack surface, with cellular module options that keep access control off the corporate network entirely.

Audit and Compliance: On-premise systems require manual log management and documentation. Cloud platforms maintain continuous, timestamped, tamper-evident audit trails accessible remotely from a single interface.

Multi-Site Management: On-premise requires site-by-site administration. Cloud platforms provide a single interface to manage credentials, schedules, and access events across all locations simultaneously.

IT Overhead: On-premise places ongoing maintenance responsibility on internal IT or facilities teams. Cloud platforms offload that responsibility to the vendor by design.

What IT Managers Should Do Right Now

Whether your organization runs iSTAR or any other on-premise access control platform, the advisories issued in 2025 and 2026 create a clear set of immediate priorities.

• Audit your current access control platform and firmware versions across all locations.
• Confirm whether your access control network is properly segmented from your corporate infrastructure.
• Identify who in your organization owns responsibility for access control firmware maintenance and whether they have the resources to execute it reliably.
• Request a security posture review from your current access control integrator and ask specifically about known CVEs affecting your installed hardware.
• Evaluate whether a migration to a cloud-native access control platform is the right long-term path for your organization given its size, distributed footprint, and IT capacity.

For many multi-site enterprises, the answer to that last question is already clear. The operational burden of maintaining on-premise physical security at scale, combined with the accelerating pace of disclosed vulnerabilities, has shifted the calculus decisively toward cloud.

The Bottom Line

The Johnson Controls iSTAR advisories are not an indictment of a single manufacturer. They are a reminder of a fundamental reality: on-premise access control systems require continuous, disciplined maintenance to remain secure, and most organizations are not positioned to deliver that consistently at scale.

Cloud-based access control was built to solve exactly this problem. Automatic updates, centralized management, cellular network segmentation, real-time audit trails, and remote credential management are not features. They are structural advantages that eliminate entire categories of risk that on-premise systems cannot escape.

For IT Managers carrying the weight of a growing technology portfolio, physical security should not be one more system demanding manual attention. The right platform takes it off your plate entirely.

Is Your Access Control System Built for Today’s Threats?

Alen Security specializes in cloud-based access control for multi-site enterprises across the country. If your team is managing on-premise systems and uncertain about your current exposure, we can help you assess your posture and design a clear path forward.

Contact Alen Security  |  alensecurity.com