CVE-2025-26386

Stack-based Buffer Overflow in Johnson Controls iSTAR Configuration Utility (ICU) tool

CVSS 7.1 HIGHEPSS 0.4%CWE-121

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7.1EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

28 Jan 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Johnson Controls iSTAR Configuration Utility (ICU) has Stack-based Buffer Overflow vulnerability. This issue affects iSTAR Configuration Utility (ICU) version 6.9.7 and prior. Successful exploitation of this vulnerability could result in failure within the operating system of the machine hosting the ICU tool.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Affected products

Johnson Controls · iSTAR Configuration Utility (ICU)

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-04 https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories