CVE-2025-53696

CVSS 9.3 CRITICALEPSS 0.1%CWE-494

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.3EPSS 0.1%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

28 Jul 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

iSTAR Ultra performs a firmware verification on boot, however the verification does not inspect certain portions of the firmware. These firmware parts may contain malicious code. Tested up to firmware 6.9.2, later firmwares are also possibly affected.

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected products

Johnson Controls, Inc · iSTAR Ultra

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://raw.githubusercontent.com/reidmefirst/vuln-disclosure/refs/heads/main/2025-03.txt