CISA warns of critical issue in Johnson Controls House iStar Pro Door Controller
Take action: Your door controller is vulnerable and out of support so it won't be patched. But you can do a reconfiguration to mitigate the vulnerability by configuring a physical dip switch to block communications to the ICU tool.
Learn More
A critical security flaw has been identified in Johnson Controls' Software House iStar Pro Door Controller.
The vulnerability, tracked as CVE-2024-32752 (CVSS score of 9.1) is due to missing authentication for a critical function, allowing for remote exploitation with low attack complexity.
Successful exploitation of this vulnerability could enable an attacker to execute machine-in-the-middle attacks, injecting commands to change configurations or initiate manual door control operations.
Affected versions: Software House iStar Pro Door Controller: All versions, ICU: All versions.
The iStar Pro controller has reached the end-of-support period, meaning no further firmware updates will be provided. Users can mitigate the vulnerability by configuring a physical dip switch (S4) on the GCM board to block communications to the ICU tool.
No known public exploitation specifically targeting this vulnerability has been reported to CISA.
