The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-26386

CVE-2025-26386: Johnson Controls ICU Buffer Overflow Flaw

CVE-2025-26386 is a stack-based buffer overflow vulnerability in Johnson Controls iSTAR Configuration Utility (ICU) that could cause operating system failure. This article covers the technical details, affected versions, and mitigation.

Published: January 30, 2026

CVE-2025-26386 Overview

CVE-2025-26386 is a stack-based buffer overflow vulnerability affecting Johnson Controls iSTAR Configuration Utility (ICU), a tool used for configuring iSTAR access control systems commonly deployed in physical security environments. The vulnerability exists in ICU version 6.9.7 and prior versions. Successful exploitation of this vulnerability could result in failure within the operating system of the machine hosting the ICU tool, potentially causing denial of service conditions.

Critical Impact

Exploitation of this stack-based buffer overflow can cause operating system failure on hosts running the ICU configuration tool, disrupting physical access control system management and potentially leaving security infrastructure in an unmanaged state.

Affected Products

  • Johnson Controls iSTAR Configuration Utility (ICU) version 6.9.7
  • Johnson Controls iSTAR Configuration Utility (ICU) versions prior to 6.9.7

Discovery Timeline

  • 2026-01-28 - CVE-2025-26386 published to NVD
  • 2026-01-29 - Last updated in NVD database

Technical Details for CVE-2025-26386

Vulnerability Analysis

This vulnerability is classified as CWE-121: Stack-based Buffer Overflow, a memory corruption vulnerability that occurs when a program writes data beyond the boundaries of a fixed-length buffer on the stack. In the context of the iSTAR Configuration Utility, the vulnerability can be triggered over a network connection, though it requires user interaction to exploit successfully.

The attack does not require authentication or special privileges, making it accessible to unauthenticated remote attackers. However, the user interaction requirement indicates that some form of social engineering or manipulation of the user interface may be necessary to trigger the vulnerable code path. The primary impact is on system availability, with the potential for high availability impact and limited integrity impact.

Root Cause

The root cause of CVE-2025-26386 is improper bounds checking when handling input data within the iSTAR Configuration Utility. When processing certain inputs, the application fails to validate the size of data being written to stack-allocated buffers. This allows an attacker to supply oversized input that overwrites adjacent memory on the stack, potentially corrupting return addresses, saved registers, or other critical stack data structures.

Stack-based buffer overflows are particularly dangerous because the stack contains execution control data. When this data is corrupted, it can lead to application crashes, denial of service, or in some cases, arbitrary code execution if the attacker can precisely control the overwritten values.

Attack Vector

The attack vector for this vulnerability is network-based, meaning an attacker can potentially trigger the vulnerability remotely. The exploitation scenario involves the following conditions:

The attacker must be able to communicate with the ICU application over the network and must induce some form of user interaction on the target system. This could involve sending malicious configuration data or crafted network packets that are processed by the ICU tool when a user performs certain actions.

Given the nature of iSTAR access control systems, which are typically used in enterprise physical security deployments, the attack surface may be limited to internal networks or VPN-connected environments. However, any successful exploitation could disrupt the ability to manage and configure physical access control systems, potentially impacting building security operations.

The vulnerability mechanism involves overflowing stack memory when processing input data. Attackers may craft payloads that exceed expected buffer sizes, causing memory corruption. For detailed technical information, refer to the CISA ICS Advisory ICSA-26-022-04.

Detection Methods for CVE-2025-26386

Indicators of Compromise

  • Unexpected crashes or service failures of the iSTAR Configuration Utility application
  • Windows Event Log entries indicating application errors or memory access violations related to ICU processes
  • Abnormal network traffic patterns targeting the ICU application ports
  • System instability or blue screen errors on hosts running the ICU tool

Detection Strategies

  • Monitor for application crashes and unexpected terminations of the ICU tool using endpoint detection and response (EDR) solutions
  • Implement network intrusion detection rules to identify malformed or oversized packets targeting ICU services
  • Deploy SentinelOne Singularity to detect memory corruption attempts and anomalous process behavior

Monitoring Recommendations

  • Enable verbose logging on systems running the iSTAR Configuration Utility to capture crash details and potential exploitation attempts
  • Configure alerts for repeated application failures or memory-related errors on ICU host systems
  • Monitor network traffic to and from ICU hosts for unusual patterns or connection attempts from unauthorized sources

How to Mitigate CVE-2025-26386

Immediate Actions Required

  • Identify all systems running the iSTAR Configuration Utility and their version numbers
  • Apply vendor patches as soon as they become available from Johnson Controls
  • Restrict network access to ICU hosts to authorized management workstations only
  • Ensure users are trained to recognize and avoid social engineering attempts that could trigger exploitation

Patch Information

Johnson Controls has been notified of this vulnerability. Organizations should monitor the Johnson Controls Security Advisory page for official patch releases and remediation guidance. Additionally, the CISA ICS Advisory ICSA-26-022-04 provides additional context and recommendations for addressing this vulnerability.

Workarounds

  • Isolate systems running the ICU tool on dedicated management network segments with strict access controls
  • Implement application whitelisting to prevent unauthorized programs from executing on ICU host systems
  • Consider temporarily disabling network access to ICU installations until patches are available, using local-only configuration when possible
  • Deploy host-based intrusion prevention systems (HIPS) to detect and block buffer overflow exploitation attempts
bash
# Network isolation example using Windows Firewall
# Restrict ICU host to accept connections only from authorized management IPs
netsh advfirewall firewall add rule name="Restrict ICU Access" dir=in action=allow remoteip=10.0.100.50,10.0.100.51 enable=yes
netsh advfirewall firewall add rule name="Block Other ICU Access" dir=in action=block program="C:\Program Files\Johnson Controls\ICU\icu.exe" enable=yes

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeBuffer Overflow
  • Vendor/TechJohnson Controls
  • SeverityHIGH
  • CVSS Score7.1
  • EPSS Probability0.04%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityLow
  • AvailabilityHigh
  • CWE References
  • CWE-121
  • Technical References
  • CISA ICS Advisory ICSA-26-022-04
  • Johnson Controls Security Advisory
  • Latest CVEs
  • CVE-2026-35467: Browser API Key Information Disclosure
  • CVE-2026-35466: cveInterface.js XSS Vulnerability
  • CVE-2026-30252: ZenShare Suite XSS Vulnerability
  • CVE-2026-30251: ZenShare Suite v17.0 XSS Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English