CVE-2024-32752

Johnson Controls Software House iSTAR Configuration Utility (ICU) Tool

Description

The iSTAR door controllers running firmware prior to version 6.6.B, does not support authenticated communications with ICU, which may allow an attacker to gain unauthorized access

Remediation

Solution:

  • • Replace the iSTAR Pro, Edge and eX door controllers with a current generation iSTAR door controller (such as iSTAR Ultra G2) which supports authentication and prevents the ICU from making configuration changes. • Ensure your iSTAR Ultra and Ultra LT door controllers are running firmware 6.6.B or greater.

Category

8.8
CVSS
Severity: High
CVSS 4.0 •
CVSS 3.1 •
EPSS 0.21%
Affected: Johnson Controls iSTAR Configuration Utility (ICU)
Affected: Johnson Controls iSTAR Pro, Edge and eX
Affected: Johnson Controls iSTAR Ultra and Ultra LT
Published at:
Updated at:

References

Link Tags
https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories
https://www.cisa.gov/news-events/ics-advisories/icsa-24-158-04
https://www.johnsoncontrols.com/-/media/jci/cyber-solutions/product-security-advisories/2024/jci-psa-2024-06.pdf

Frequently Asked Questions

What is the severity of CVE-2024-32752?
CVE-2024-32752 has been scored as a high severity vulnerability.
How to fix CVE-2024-32752?
To fix CVE-2024-32752: • Replace the iSTAR Pro, Edge and eX door controllers with a current generation iSTAR door controller (such as iSTAR Ultra G2) which supports authentication and prevents the ICU from making configuration changes. • Ensure your iSTAR Ultra and Ultra LT door controllers are running firmware 6.6.B or greater.
Is CVE-2024-32752 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-32752 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-32752?
CVE-2024-32752 affects Johnson Controls iSTAR Configuration Utility (ICU), Johnson Controls iSTAR Pro, Edge and eX, Johnson Controls iSTAR Ultra and Ultra LT.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.