Johnson Controls reports critical vulnerability in ICU tool
Take action: If you are using Johnson Controls' ICU tool, the usual rules apply - Make sure it's isolated from the internet and accessible only from trusted networks. Then plan a patch, because every isolation can be breached given enough time.
Learn More
Johnson Controls Inc. is reporting a critical security vulnerability affecting their ICU tool. The Johnson Controls ICU tool is part of their industrial control systems, used for building automation and management. It helps monitor and control various systems within commercial and industrial environments, ensuring efficient operation and security.
The flaw is tracked as CVE-2025-26382 (CVSS score 9.8) is classified as a Stack-based Buffer Overflow. It allows remote attackers to potentially execute arbitrary code on affected systems. The flaw requires no authentication and can be exploited remotely. Successful exploitation could provide complete control over the affected system
ICU Versions prior to 6.9.5 are affected.
Johnson Controls recommends users upgrade to ICU version 6.9.5 to mitigate this vulnerability. For more detailed mitigation instructions, users should refer to Johnson Controls Product Security Advisory JCI-PSA-2025-04.
According to the advisory, no known public exploitation specifically targeting this vulnerability has been reported to CISA at the time of publication.
