BACK TO NEWS
CERT Advisories

Critical Stack-Based Buffer Overflow Vulnerability in Johnson Controls iSTAR (CVE-2026-XXXX)

2 min readSource: INCIBE-CERT

INCIBE-CERT warns of a severe stack-based buffer overflow flaw in Johnson Controls iSTAR access controllers, enabling remote code execution.

Critical Stack-Based Buffer Overflow in Johnson Controls iSTAR Access Controllers

Madrid, Spain – January 23, 2026 – INCIBE-CERT has issued an early warning regarding a critical stack-based buffer overflow vulnerability in Johnson Controls iSTAR access control systems. The flaw, tracked under CVE-2026-XXXX, poses a significant risk to organizations relying on these devices for physical security infrastructure.

Technical Details

The vulnerability stems from improper input validation in the iSTAR firmware, allowing attackers to trigger a stack-based buffer overflow via specially crafted network packets. Successful exploitation could lead to:

  • Remote code execution (RCE) with elevated privileges
  • Denial-of-service (DoS) conditions
  • Unauthorized access to sensitive facility controls

While specific technical details remain limited pending a vendor patch, the flaw is classified as high-severity due to its potential for exploitation without authentication. Johnson Controls iSTAR systems are widely deployed in critical infrastructure sectors, including healthcare, government, and commercial facilities.

Impact Analysis

The vulnerability exposes organizations to:

  • Physical security breaches via compromised access control systems
  • Lateral movement into connected OT/IT networks
  • Compliance violations under frameworks like NIST SP 800-82 and IEC 62443

INCIBE-CERT has not confirmed active exploitation in the wild but urges immediate mitigation due to the flaw’s critical nature.

Recommendations

Security teams should:

  1. Isolate iSTAR devices from untrusted networks until patches are available
  2. Monitor network traffic for anomalous activity targeting iSTAR controllers
  3. Apply vendor-supplied updates immediately upon release
  4. Review access logs for signs of unauthorized configuration changes
  5. Segment networks to limit exposure of critical physical security systems

Johnson Controls has been notified and is expected to release a firmware update. INCIBE-CERT will provide further details as they become available. For more information, refer to the original advisory.

This is a developing story. Updates will follow as new information emerges.

Share

TwitterLinkedIn