Cyber Resilience

CVE-2022-21941

CriticalRCE

Published: 31 August 2022

Published
31 August 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.1974 95.6th percentile
Risk Priority 32 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-21941 is a critical-severity Command Injection (CWE-77) vulnerability in Johnsoncontrols Istar Ultra Firmware. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 4.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-21941 is a command injection vulnerability, tracked under CWE-77, that affects all versions of the iSTAR Ultra access control system prior to 6.8.9.CU01. The flaw carries a CVSS 3.1 base score of 10.0 and permits an unauthenticated attacker to inject operating-system commands with full root privileges on the underlying platform.

An unauthenticated remote attacker can exploit the issue over the network without any user interaction or credentials. Successful exploitation grants complete control of the device, allowing arbitrary command execution that can compromise confidentiality, integrity, and availability while affecting other components in the same security scope.

Public advisories from CISA (ICSA-22-242-11) and Johnson Controls direct administrators to upgrade iSTAR Ultra to version 6.8.9.CU01 or later; the vendor security page also lists the fixed release and associated hardening guidance.

The EPSS score for this CVE has remained flat at 0.1974 with no material increase after disclosure.

EU & UK References

Vulnerability details

All versions of iSTAR Ultra prior to version 6.8.9.CU01 are vulnerable to a command injection that could allow an unauthenticated user root access to the system.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

johnsoncontrols
istar ultra firmware
≤ 6.8.9.cu01

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References