Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2025-61736
PUBLISHED
More InfoOfficial Page
Assigner-jci
Assigner Org ID-7281d04a-a537-43df-bfb4-fa4110af9d01
View Known Exploited Vulnerability (KEV) details
Published At-17 Dec, 2025 | 12:36
Updated At-17 Dec, 2025 | 15:09
Rejected At-
▼CVE Numbering Authority (CNA)
iSTAR- Improper Validation of Certificate Expiration

Successful exploitation of this vulnerability could result in the product failing to re-establish communication once the certificate expires.

Affected Products
Vendor
Johnson Controls
Product
iSTAReX, iSTAR Edge, iSTAR Ultra LT, iSTAR Ultra , iSTAR Ultra SE
Default Status
affected
Versions
Affected
  • iSTAR All versions prior to TLS 1.2
Problem Types
TypeCWE IDDescription
CWECWE-298CWE-298-Improper Validation of certificate expiration
Type: CWE
CWE ID: CWE-298
Description: CWE-298-Improper Validation of certificate expiration
Metrics
VersionBase scoreBase severityVector
4.07.1HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Version: 4.0
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-94CAPEC-94: Adversary in the Middle (AiTM)
CAPEC ID: CAPEC-94
Description: CAPEC-94: Adversary in the Middle (AiTM)
Solutions

Johnson Controls recommends the following mitigations: Host-based certificates using TLS 1.2: * Quickest solution * No Upgrade required to specific C•CURE or iSTAR software/firmware versions * Requires downloading a new certificate to all iSTAR panels simultaneously, resulting in a brief system downtime Convert encryption mode to TLS 1.3, per cluster: * Requires firmware 6.9.0 or higher, and C•CURE 9000 v2.90 SP3 or higher * Enables phased implementation by cluster, minimizing disruption * Note: TLS 1.3 is not supported on iSTAR eX, iSTAR Edge, and iSTAR Ultra LT panels Upgrade legacy panels to new G2 hardware: * Recommended for smaller systems due to time constraints * Applies primarily to iSTAR eX, iSTAR Edge, and iSTAR LT panels

Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories
N/A
https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-04
N/A
Hyperlink: https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories
Resource: N/A
Hyperlink: https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-04
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found